SlideShare a Scribd company logo
1 of 116
Download to read offline
Security Road Show - Calgary

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience


9:00am – 9:15am Welcome



9:15am – 9:45am Palo Alto Networks
–
You can’t control what you can’t see!



9:45am – 10:15am F5
–
Protect your web applications



10:15am – 10:30am Break



10:30am – 11:00am Splunk
–
Big data, next generation SIEM



11am – 11:30am Infoblox
–
Are you fully prepared to withstand DNS attacks?



11:30am - 12:00pm Closing remarks, Q&A



12:00pm – 12:30pm Boxed Lunches

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 Today’s Speakers
– Geoff Shukin – Palo Alto
Networks
– Clayton Sopel – F5
– Menno Vanderlist – Splunk
– Ed O’Connell- Infoblox

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Founded in 2004
$125M in CY13
Revenues

Nationwide Presence

120 Employees
Nationwide

25% Growth YoY

Toronto | Vancouver
Ottawa | Calgary | London

Greater than 1:1
technical:sales ratio

Background in architecting mission-critical
data centre infrastructure
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 The country’s most
skilled IT infrastructure
specialists, focused on
security, performance
and control tools

 Delivering
infrastructure services
which support core
applications

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
WHY SCALAR?

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Experience

Innovation

Execution

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 Top technical talent in Canada
– Engineers average 15 years’ experience

 We train the trainers
– Only Authorized Training Centre in Canada
for F5, Palo Alto Networks, and Infoblox

 Our partners recognize we’re
the best
– Brocade Partner of the Year – Innovation
– Cisco Partner of the Year – Data Centre &
Virtualization
– VMware Global Emerging Products Partner
of the Year
– F5 Canadian Partner of the Year
– Palo Alto Networks Rookie of the Year
– NetApp Partner of the Year - Central
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 Unique infrastructure solutions
designed to meet your needs
– StudioCloud
– HPC & Trading Systems

 Testing Centre & Proving Grounds
– Ensuring emerging technologies are
hardened, up to the task of Enterprise
workloads

 Vendor Breadth
– Our coverage spans Enterprise leaders and
Emerging technologies for niche workloads
& developing markets

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“Scalar […] has become our trusted
advisor for architecting and
implementing our storage, server and
network infrastructure across multiple
data centres”

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“We’ve basically replaced our
infrastructure at a lower cost than
simply the maintenance on our prior
infrastructure […] At the same time,
we’ve improved performance and
reduced our provisioning time”

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
“Numerous technologies needed to
converge to make VDI a reality for us.
The fact that Scalar is multidisciplinary and has deep knowledge
around architecture, deployment and
management of all of these
technologies was key”

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
PALO ALTO NETWORKS

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Palo Alto Networks
Controlling Threats
Geoff Shukin, Senior SE Palo Alto Networks
#netgun

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
context |ˈkänˌtekst| noun
the circumstances that form the
setting for an event, statement,
or idea, and in terms of which it
can be fully understood and
assessed

14 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.
action

intelligence
context
15 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.
slideshare-uploading
application function

slideshare

roadmap.pdf

application

file name

HTTP

file-sharing

protocol

URL category

SSL

canada

protocol

destination country

172.16.1.10

tcp/443

64.81.2.23

source IP

destination port

destination IP

pdf
file type

prodmgmt
group

bjacobs
user

344
KB

16 | ©2014, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.
exe
file type

finance
group

fthomas
user

web-browsing

shipment.exe

application

file name

HTTP

unknown

protocol

URL category

SSL

china

protocol

destination country

344
KB

172.16.1.10

tcp/443

64.81.2.23

source IP

destination port

destination IP

17 | ©2014, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.
Hides within
SSL

New domain,
no reputation

Payload
evades AV

C2 hides using nonstandard ports

Exploit Kit

Contact New
Domain

ZeroAccess
Delivered

C2
Established

Data Stolen

Custom C2
& Hacking

Spread
Laterally

Secondary
Payload

Exfiltration via
RDP & FTP

No signature for
custom malware

Hides in plain
sight

Payload evades
C2 signatures

18 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.
 Scans ALL applications (including SSL traffic) to secure all avenues
in/out of a network, reduce the attack surface area, and provide
context for forensics
 Prevents attacks across ALL attack vectors (exploit, malware, DNS,
command & control, and URL) with content-based signatures
 Detects zero day malware & exploits using public/private cloud and
automatically creates signatures for global customer base
19 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.
All Applications, All Attack Vectors, All Threats

Datacenter
• Validate business applications & users
• Find rogue/misconfigured apps
• High speed threat prevention

Gateway
• Visibility into all traffic
• Enable apps to reduce exposure
• Block known/unknown threats

Segmentation
• Isolate critical data, business functions
• Enable applications based on users
• Block known/unknown threats
20 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Alto Networks.
Confidential and Proprietary.
Advanced threat
Commodity threats

Organized cybercrime

Nation state

(very common, easily identified)

(More customized exploits
and malware)

(Very targeted, persistent, creative)



Mostly addressed by
traditional AV and IPS



Somewhat more
sophisticated payloads



Low sophistication,
slowly changing



Evasion techniques
often employed



Comprehensive
investigation after an
indicator is found



Machine vs. machine

Intelligent and
continuous monitoring of
passive network-based
and host-based sensors






Highly coordinated
response is required for
effective prevention and
remediation

Sandboxing and other
smart detection often
required

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 Evolving from incident response mindset to
intelligence mindset
 No intelligence exists without visibility
 Applying the intelligence and resulting IOCs to the kill
chain

 Sharing what you know

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 It’s a campaign, not just an attack

 Appreciate and utilize the intelligence cycle
Security
stack

•
•
•
•
•
•

Intelligence Cycle
Block an IP address
Block a URL
Block a session
Block a known virus
Heuristically block spam
Block bad attachments

{A,
•
•
•
•
•
•
•

B, C, D, E, F, G, H, I, J, K, L, M, N, O}
Recons by A, B and C
Builds this kind of weapon: D
Delivers the weapon by E, F and G
Exploits the network by H and I
Installs itself by J
Establishes C2 by K, L and M
Performs N and O on the objective

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 You don’t have intelligence if you don’t have visibility
 Visibility required across the whole network
 Ideally, you can see and understand applications,
content, and users
 Then make sense of what you see

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
1. Changes driven by “location”
– Where’s the user?
– Where’s the app?
– Where’s the server?

2. Changes driven by security evolution
– Who and where is the attacker?
– What is their level of sophistication?
– What are their motives?

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Users are moving off the network

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Apps are moving off the network

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Servers are moving to private and public clouds

Verizon Cloud

BETA

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Traffic is moving off the network

Verizon Cloud

BETA

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 Visibility provides intelligence around the indicators
of compromise (IOC)
 IOCs applied to the kill chain provide actionability
 Highly automated kill chain

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Traditional Sandbox-based Anti-malware IPS (C&C)
detection
detection
signature
signature
generation generation

DNS (C&C)
signature
generation

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Malware
URL list
generation
 In the cyber security battle, sharing is key
 Three ways this is happening
1. External – industry initiatives

2. External – technology partnerships

3. Internal – your security technology should leverage the network

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 Automatic detection in real
time in private or public cloud
 Automatic generation of
several defensive measures
 Automatic distribution of
defensive measures to all
WildFire customers within 30
minutes after initial detection
 Automatic installation of
defensive measures provides
full prevention immediately

 You benefit from the threat
intelligence of 2,500+
organizations across the
industry

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
F5

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
CONFIDENTIAL

F5 Security for an application
driven world
F5 Provides Complete Visibility and Control
Across Applications and Users

Users

Resources

DNS

Web

Access

Intelligent
Dynamic Threat Defense
Services
DDoS Protection
Platform
Protocol Security
Network Firewall
TMOS

Securing access to applications
from anywhere

© F5 Networks, Inc

Protecting your applications
regardless of where they live

CONFIDENTIAL

38
CONFIDENTIAL

Security Trends and Challenges
Attack Type

Spear Phishing

Physical Access

XSS

Size of circle
estimates relative
impact of incident
in terms of cost to
business

May

June

July

Aug

Sep

Oct

Nov

Dec

2012

© F5 Networks, Inc

CONFIDENTIAL

40
Bank

Bank
Bank

Industrial

Non
Profit
Non
Profit

Bank

Bank

Auto

Gov

Online
Services

Gov

Industrial

Online
SVC

EDU
Bank
Bank

Gov

Online
SVC

Edu

Online
Services
News &
Media

Edu

News &
Media

Utility

Software
Edu

Online
Services
Cnsmr
Electric

Telco

Food
Service

Telco

Bank

Online
Services

Bank

Bank

Cnsmr
Electric

Jan

Feb

Mar

Bank

Cnsmr
Elec
Education

Online
Services
Online
Services

Software

Online
Services

DNS
Provider

Online
Services
Auto

Gov

Gov

DNS
Provider

Health

Gov
Software

Util

May

Global
Delivery

Unknown

Online
Services

Gov
Gov

Physical Access

Edu

DNS
Provider

Gov

Auto

DNS
Provider

Auto

Gov
Online
Services

Apr

Online
Services
Online
Services

Online
Svcs

DNS
Provider

News &
Media

Gov

Online
Services

Bank

Telco
Auto

Gaming

Retail

Online
Services

Spear Phishing

Retail

Industrial

Online
Services

Bank

Airport

Attack Type

Online
Services

Entnment

Gov

Bank

Telco

Gov

Gov

Banking

NonProfit

Bank

Online
Services

Online
Gaming

News &
Media

Edu

Gov

Bank

Software

News &
Media

Bank

News &
Media
News &
Media

Gov

Food E-comm
Svc

Online
Services

Bank

Online
Services

Bank

Online
Services

Gov
Gov

News &
Media

Telco

Bank

Software

News &
Media

Software

Bank

Edu

Utility

Bank

Online
Services

Online
Svc

Consumer
Electric

Online
SVC

Gov

Gove

News &
Media

Online
Svc

Non
Profit

Consumer
Electronics

News &
Media

Gov

Size of circle
estimates relative
impact of incident
in terms of cost to
business

Jun

2013

© F5 Networks, Inc

CONFIDENTIAL

41
More sophisticated attacks are multi-layer

Application

SSL
DNS
Network

© F5 Networks, Inc

CONFIDENTIAL

42
The business impact of DDoS

The business
impact of DDoS

© F5 Networks, Inc

Cost of
corrective action

CONFIDENTIAL

Reputation
management

43
OWASP Top 3 Application Security Risks
1 - Injection

Injection flaws, such as SQL and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attackers hostile data
can trick the interpreter into executing unintended commands or accessing
data.

2 – Broken
Authentication
and Session
Management

Application functions related to authentication and session management are
often not implemented correctly, allowing attackers to comprimise passwords,
keys or session tokens to assume another users’ identity.

3 – Cross Site
Scripting (XSS)

XSS flaws occur whenever an application takes untrusted data and sends it to
a web browser without proper validation or escaping. XSS allows attackers to
execute scripts in the victims browser to hijack user sessions, deface web sites
or redirect the user.

Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf

© F5 Networks, Inc

CONFIDENTIAL

44
CONFIDENTIAL

The F5 Approach
Full Proxy Security

Client / Server

Client / Server

Web application

Web application

Application

Application

SSL inspection and SSL DDoS mitigation

Session

Session

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

Network

Network

Physical

Physical

Application health monitoring and performance anomaly detection
HTTP proxy, HTTP DDoS and application security

© F5 Networks, Inc

CONFIDENTIAL

46
The F5 Application Delivery Firewall
Bringing deep application fluency to firewall security

One platform

Network
firewall

Traffic
management

Application
security

Access
control

DDoS
mitigation

SSL
inspection

DNS
security

EAL2+
EAL4+ (in process)

© F5 Networks, Inc

CONFIDENTIAL

47
Positive vs Negative
• Positive Security
• Known good traffic
• Permit only what is defined in the security policy (whitelisting).

• Block everything else

• Negative
• Known-bad traffic
• Pattern matching for malicious content using regular expressions.

• Policy enforcement is based on a Positive security logic
• Negative security logic is used to complement Positive logic.
© F5 Networks, Inc

CONFIDENTIAL

48
How Does It Work?

Security at application, protocol and network level

Request made

Security policy
checked

Content scrubbing
Application cloaking

Enforcement

Response
delivered

Server
response

Security policy
applied

Actions:
Log, block, allow

BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new, more secure application.

© F5 Networks, Inc

CONFIDENTIAL

49
Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

6

Then for each parameter we will
check for for value length
will checkmaxmax value length

7

Then scan each parameter, the
URI, the headers

© F5 Networks, Inc

GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44rn
Connection: keep-alivern
User-Agent: Mozilla/5.0 (Windows NT 6.1)rn
Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn
Referer: http://172.29.44.44/search.php?q=datarn
Accept-Encoding: gzip,deflate,sdchrn
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn

CONFIDENTIAL

50
Automatic HTTP/S DOS Attack
Detection and Protection

•

Accurate detection technique—based on latency

•

•

Three different mitigation techniques escalated
serially

Focus on higher value productivity while automatic
controls intervene

Detect a DOS condition
Identify potential attackers
Drop only the attackers

© F5 Networks, Inc

CONFIDENTIAL

51
To Simplify: Application-Oriented Policies and Reports

© F5 Networks, Inc

CONFIDENTIAL

52
IP INTELLIGENCE

Botnet

Restricted
region or
country

IP intelligence
service

IP address feed
updates every 5 min
Attacker

Custom
application

Financial
application

Anonymou
s requests

Anonymous
proxies

Scanner
Geolocation database
Internally infected devices
and servers

© F5 Networks, Inc

CONFIDENTIAL

53
Built for intelligence, speed and scale

Users

Resources

Concurrent user sessions

100K
Concurrent logins

1,500/sec.

Throughput

640 Gbps
Concurrent connections

288 M
DNS query response

10 M/sec

SSL TPS (2K keys)

240K/sec
Connections per second

8M
Application Delivery Firewall

Network
firewall

Traffic
management

Application
security

Access
control

DDoS
mitigation

SSL
inspection

DNS
security

Products
Advanced Firewall
Manager

Local Traffic
Manager

Application
Security Manager

•

Stateful full-proxy
firewall

•

#1 application
delivery controller

•

Leading web
application firewall

•

Flexible logging
and reporting

•

Application fluency

•

Access Policy
Manager

PCI compliance

•

Native TCP, SSL
and HTTP proxies

•

Network and
Session anti-DDoS

•

App-specific health
monitoring

•

Virtual patching for
vulnerabilities

•

HTTP anti-DDoS

•

•

Dynamic, identitybased access
control

•

Simplified
authentication
infrastructure

IP protection

•

Endpoint security,
secure remote
access

Global Traffic
Manager & DNSSEC
•

Huge scale DNS
solution

•

Global server load
balancing

•

Signed DNS
responses

•

Offload DNS crypto

iRules extensibility everywhere

© F5 Networks, Inc

CONFIDENTIAL

55
Explore

The F5 DDoS Protection
Reference Architecture
f5.com/architectures

© F5 Networks, Inc

CONFIDENTIAL

56
Summary
• Customers invest in network security, but most significant threats are
at the application layer
• Current security trends – BYOD, Webification – mean you need to be
even more aware of who and what can access application data
• A full proxy device is inherently secure, and coupled with high
performance can overcome many security challenges
• F5 Application Delivery Firewall brings together the traditional
network firewall with application centric security, and can
understand the context of users, devices and access

© F5 Networks, Inc

CONFIDENTIAL

57
BREAK

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
SPLUNK

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Copyright © 2014 Splunk Inc.

Splunk for Security
Intelligence
Make machine data accessible, usable
and valuable to everyone.

63
The Accelerating Pace of Data
Volume | Velocity | Variety | Variability

GPS,
Machine data is fastest growing, most
RFID,
Hypervisor,
complex, most valuable area of big data
Web Servers,
Email, Messaging,
Clickstreams, Mobile,
Telephony, IVR, Databases,
Sensors, Telematics, Storage,
Servers, Security Devices, Desktops

64
The Splunk Security Intelligence Platform
Security Use Cases

Machine Data

Online
Services

Forensic
Investigation

Web
Services

Security

Security
Operations

Compliance

Fraud
Detection

GPS
Location

Servers

Packaged
Applications
Networks
Desktops
Storage

Messaging

Telecoms

Custom
Applications

RFID
Energy
Meters

Online
Shopping
Cart
Databases
Web
Clickstreams

Call Detail
Records

HA Indexes
and Storage

Smartphones
and Devices

4

Commodity
Servers
Rapid Ascent in the Gartner SIEM Magic Quadrant
2011

2012

66

2013
Industry Accolades
Best SIEM
Solution

Best Enterprise
Security Solution

67

Best Security
Product
Over 2800 Global Security Customers

68
Splunk Security Intelligence Platform
120+ security apps

Splunk App for Enterprise Security

Palo Alto
Networks
Cisco Security
Suite

OSSEC

F5 Security

FireEye

NetFlow Logic

Active
Directory

Juniper

69

Blue Coat
Proxy SG

Sourcefire
Partner Ecosystem

What is the Value Add to Existing Customers?
Visibility and Correlation of Rich Data
Improved Security Posture
Configurable Dashboard Views
All Data is Security Relevant = Big Data
Databases

Email

Web

Desktops

Servers DHCP/ DNS Network
Flows

Traditional SIEM

Custom
Apps
Hypervisor Badges Firewall Authentication Vulnerability
Scans

Storage

Mobile

Data Loss
Intrusion
Detection Prevention

AntiMalware

Service
Desk

Call
Industrial
Control Records
Making Sound Security Decisions
Binary Data (flow
and PCAP)

Log Data

Security
Decisions

Threat Intelligence
Feeds

Context Data
Volume

Velocity

Variety
72

Variability
Case #1 - Incident Investigation/Forensics
January

•

May be a “cold case” investigation requiring
machine data going back months

March

Often initiated by alert in another product

•

February

•

Need all the original data in one place and a
fast way to search it to answer:
–

What happened and was it a false positive?

–

How did the threat get in, where have they
gone, and did they steal any data?

–
•

client=unknown[
99.120.205.249]
<160>Jan
2616:27
(cJFFNMS

truncating
integer value >
32 bits
<46>Jan
ASCII from
client=unknow
n

Has this occurred elsewhere in the past?

Take results and turn them into a real-time
search/alert if needed

DHCPACK
=ASCII
from
host=85.19
6.82.110

73

April
Case #2 – Real-time Monitoring of Known Threats
Sources

Example Correlation – Data Loss
20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering
the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1
Default Admin Account
Status=Degradedwmi_ type=UserAccounts
Source IP

Windows
Authentication
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer
name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and
Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time:
2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My
Malware Found
Source IP
CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Endpoint
Security
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text
Source IP
[Priority: 2]:

Data Loss

Intrusion
Detection

All three occurring within a 24-hour period
Time Range
74
Case #3 – Real-time Monitoring of Unknown Threats
Sources

Example Correlation - Spearphishing
User Name

2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1
,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z
Email Server

Rarely seen email domain
Rarely visited web site

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET
www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

User Name

Web Proxy

Endpoint
Logs

User Name
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300
process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type
="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers
PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type""
Rarely seen service

All three occurring within a 24-hour period
Time Range
75
$500k Security ROI @ Interac
•

Challenges: Manual, costly processes
– Significant people and days/weeks required for incident investigations. $10k+ per week.
– No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel
– Traditional SIEMs evaluated were too bloated, too much dev time, too expensive

Enter Splunk: Fast investigations and stronger security
–
–
–
–

Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts
Splunk reduced investigation time to hours. Reports can be created in minutes.
Real-time correlations and alerting enables fast response to known and unknown threats
ROI quantified at $500k a year. Splunk TCO is less than 10% of this.

“

“

•

Splunk is a product that provides a looking glass into our environment for things
we previously couldn’t see or would otherwise have taken days to see.
Josh Diakun, Security Specialist, Information Security Operations

7
6
Replacing a SIEM @ Cisco
•

Challenges: SIEM could not meet security needs
– Very difficult to index non-security or custom app log data
– Serious scale and speed issues. 10GB/day and searches took > 6 minutes
– Difficult to customize with reliance on pre-built rules which generated false positives

Enter Splunk: Flexible SIEM and empowered team
–
–
–
–
–

Easy to index any type of machine data from any source
Over 60 users doing investigations, RT correlations, reporting, advanced threat detection
All the data + flexible searches and reporting = empowered team
900 GB/day and searches take < minute. 7 global data centers with 350TB stored data
Estimate Splunk is 25% the cost of a traditional SIEM

“

We moved to Splunk from traditional SIEM as Splunk is designed and
engineered for “big data” use cases. Our previous SIEM was not and simply
could not scale to the data volumes we have.

“

•

Gavin Reid, Leader, Cisco Computer Security Incident Response Team
7
7
Security and Compliance @ Barclays
Challenges: Unable to meet demands of auditors
–
–
–
–
•

Scale issues, hard to get data in, and impossible to get data out beyond summaries
Not optimized for unplanned questions or historical searches
Struggled to comply with global internal and external mandates, and to detect APTs
Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting

Enter Splunk: Stronger security and compliance posture
–
–
–
–

Fines avoided as searches easily turned into visualizations for compliance reporting
Faster investigations, threat alerting, better risk measurement, enrichment of old data
Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers
Other teams using Splunk for non-security use cases improves ROI

“

We hit our ROI targets immediately. Our regulators are very aggressive, so if
they say we need to demonstrate or prove the effectiveness of a certain
control, the only way we can do these things is with Splunk.

“

•

Stephen Gailey, Head of Security Services
7
8
Splunk Key Differentiators
•
•
•
•
•
•
•

Splunk
Single product, UI, data store
Traditional SIEM
Software-only; install on commodity hardware
Quick deployment + ease-of-use = fast time-to-value
Can easily index any data type
All original/raw data indexed and searchable
Big data architecture enables scale and speed
Flexible search and reporting enables better/faster threat
investigations and detection, incl finding outliers/anomalies
• Open platform with API, SDKs, Apps
• Use cases beyond security/compliance

79
For your own AHA! Moment
Reach out to your Scalar and
Splunk team for a demo

Thank you!
INFOBLOX

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Are you prepared to withstand DNS attacks?
Ed O’Connell, Senior Product Marketing Manager
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox Overview
DNS Security Challenges
Securing the DNS Platform
Defending Against DNS Attacks
Preventing Malware from using DNS

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Total Revenue

Founded in 1999

(Fiscal Year Ending July 31)

Headquartered in Santa Clara, CA
with global operations in 25 countries

$250

Leader in technology
for network control

$200

($MM)
$225.0

$169.2

Market leadership

$150

$132.8

• Gartner “Strong Positive” rating
• 40%+ Market Share (DDI)

$102.2
$100

6,900+ customers, 64,000+
systems shipped

$56.0
$50

$61.7

$35.0

38 patents, 25 pending
IPO April 2012: NYSE BLOX

$0

FY2007

FY2008

FY2009

FY2010

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

FY2011

FY2012

FY2013
VIRTUAL MACHINES

PRIVATE CLOUD

APPLICATIONS

NETWORK
INFRASTRUCTURE

CONTROL PLANE

APPS &
END-POINTS

END POINTS

Infrastructure
Security

Historical / Real-time
Reporting & Control
Infoblox GridTM w/ Real-time
Network Database

FIREWALLS

SWITCHES

ROUTERS

WEB PROXY

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

LOAD BALANCERS
DNS is the
cornerstone of the
Internet used by
every business/
Government

DNS as a Protocol
is easy to exploit

Traditional
protection is
ineffective against
evolving threats

DNS outage = business downtime
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
1

Securing the DNS Platform

2

Defending Against DNS Attacks

3

Preventing Malware from using DNS

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS

Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS

Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
– Many open ports subject to attack

– Users have OS-level account
privileges on server
– No visibility into good vs. bad
traffic
– Requires time-consuming manual
updates
– Requires multiple applications for
device management

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Multiple
Open Ports
 Minimal attack surfaces
 Active/Active HA & DR recovery

 Centralized management
with role-based control

 Tested & certified to highest
Industry standards

 Secured Access,
communication & API

 Secure Inter-appliance
Communication

 Detailed audit logging
 Fast/easy upgrades

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
 No scripts / Auto-Resigning / 1-click
 Central configuration of all DNSSEC parameters

 Automatic maintenance of signed zones
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS

Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
~ 10% of infrastructure attacks targeted DNS
ACK: 2.81%

ICMP: 9.71%

RESET: 1.4%

CHARGEN: 6.39%

SYN: 14.56%

RP: 0.26%

FIN PUSH: 1.28%
DNS: 9.58%

SYN PUSH: 0.38%
TCP FRAGMENT: 0.13%

UDP FRAGMENT: 17.11%

UDP FLOODS: 13.15%

Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013

~ 80% of organizations surveyed experienced application layer attacks on DNS
HTTP

82%

DNS

77%

SMTP

25%

HTTPS

54%

SIP/VOIP

20%

IRC

6%

Other

9%
0%

20%

40%
60%
Survey Respondents

80%

100%

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Source: Arbor Networks
Distributed Reflection DoS Attack (DrDoS)
How the attack works

 Combines Reflection and Amplification
 Use third-party open resolvers in the
Internet (unwitting accomplice)

Internet

 Attacker sends small spoofed packets
to the open recursive servers,
requesting a large amount of data to
be sent to the victim’s IP address
 Uses multiple such open resolvers,
often thousands of servers

Attacker

 Queries specially crafted to result in a
very large response
 Causes DDoS on the victim’s server
Target Victim

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Legitimate Traffic
Block DNS
attacks
Infoblox Advanced
DNS Protection
(External DNS)

Data for
Reports

Infoblox
Threat-rule Server

Automatic
updates

Infoblox Advanced DNS
Protection
(Internal DNS)

Reporting
Server

Reports on attack types, severity

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
DNS reflection/DrDoS attacks
DNS amplification

Using third-party DNS servers(open resolvers) to propagate
a DOS or DDOS attack
Using a specially crafted query to create an amplified
response to flood the victim with traffic

DNS-based exploits

Attacks that exploit vulnerabilities in the DNS software

TCP/UDP/ICMP floods

Denial of service on layer 3 by bringing a network or
service down by flooding it with large amounts of traffic

DNS cache poisoning

Corruption of the DNS cache data with a rogue address

Protocol anomalies
Reconnaissance
DNS tunneling

Causing the server to crash by sending malformed packets
and queries
Attempts by hackers to get information on the network
environment before launching a DDoS or other type of
attack
Tunneling of another protocol through DNS for data
exfiltration

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
EXTERNAL

INTERNAL

INTRANET

INTERNET

Advanced DNS
Protection

Advanced DNS
Protection

GRID Master
and Candidate
(HA)

DATACENTER

Advanced DNS
Protection

CAMPUS/REGIONAL

Advanced DNS
Protection

DMZ
INTRANET
Grid Master
and Candidate (HA)

DATACENTER

CAMPUS/REGIONAL

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Endpoints
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS

Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
2014

2013

Q2

Q3

Q4

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Q1
Cryptolocker “Ransomware”


Targets Windows-based computers



Appears as an attachment to legitimate
looking email



Upon infection, encrypts files: local hard
drive & mapped network drives



Ransom: 72 hours to pay $300US



Fail to pay and the encryption key is
deleted and data is gone forever



Only way to stop (after executable has
started) is to block outbound connection
to encryption server

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Infoblox Malware
Data Feed Service

1

4
2

Malicious
domains

IPs, Domains, etc.
of Bad Servers

2

Malware /
APT

An infected device brought
into the office. Malware
spreads to other devices on
network.
Malware makes a DNS query to
find “home.” (botnet / C&C).
Detect & Disrupt. DNS Firewall
detects & blocks DNS query to
malicious domain

Internet
Intranet

Infoblox DDI
with DNS
Firewall

Blocked attempt
sent to Syslog

1
2

3

Pinpoint. Infoblox Reporting lists

3 blocked attempts as well as the:
•
•
•
•
•

IP address
MAC address
Device type (DHCP fingerprint)
Host name
DHCP lease history

DNS Firewall is updated every 2

4 hours with blocking information
from Infoblox DNS Firewall
Subscription Svc

Malware / APT spreads
within network; Calls home
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Malicious
Domains

1

Detect - FireEye detects APT,
alerts are sent to Infoblox.

Malware

Internet

2

2

Disrupt – Infoblox DNS
Firewall disrupts malware DNS
communication

Intranet
Infoblox DDI
with DNS
Firewall

3 Pin Point - Infoblox Reporting
3
Alerts

1

Endpoint Attempting
To Download
Infected File

Blocked attempt
sent to Syslog

provides list of blocked
attempts as well as the
•
•
•
•
•

IP address
MAC address
Device type (DHCP fingerprint)
DHCP Lease (on/off network)
Host Name

FireEye NX
Series
FireEye detonates
and detects malware

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Fast Flux

Rapidly changing of domains & IP addresses by malicious
domains to obfuscate identity and location

APT / Malware

Malware designed to spread, morph and hide within IT
infrastructure to perpetrate a long term attack (FireEye)

DNS Hacking

Hacking DNS registry(s) & re-directing users to malicious
domain(s)

Geo-Blocking

Blocking access to geographies that have rates of malicious
domains or Economic Sanctions by US Government

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
DNS is the cornerstone
of the Internet

Unprotected DNS
infrastructure
introduces security
risks

Infoblox DNS Firewall
Prevents Malware/APT from Using DNS

Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Hardened Appliance & OS
Secure the DNS Platform

Secure DNS Solution
protects critical DNS
services

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Thank you!
For more information
www.infoblox.com

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
Why Scalar for Security?

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
 Integration of Security
Technologies

 Staffing
 Vulnerabilities
 Advanced threats

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
 Integration of Security
Technologies is Challenging
– Multiple formats of data
– Data timing issues
– Different types of security
controls
– Other data types

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
 InfoSecurity Staff
– Different skills requirements
﹘ Architects
﹘ Malware Handling
﹘ Forensics
﹘ Vulnerability
﹘ Incident Management
﹘ Risk and Compliance

– HR Costs
﹘ Premium technical personnel
﹘ Analysts, Specialists
﹘ Training and certification
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
 Vulnerabilities
– Regular scheduled
disclosures
– Large volumes of ad-hoc
patches
– Many undisclosed zero days
– Remediation is a continuous
process

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
The Issues
 Advanced Threats
– Advanced Persistent Threats
– Imbedded threats
 Who?
– State sponsored
– Hactivism
– Hackers
– Organized crime

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
How to Secure It
 State-of-the-art Security
Technologies

 Skills on Demand
– Continuous Tuning of Rules
and Filters
– Cyber Intelligence,
Advanced Analytics
– Cyber Incident Response
– Code Review, Vulnerability
and Assessment Testing
© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
WRAP/QUESTIONS?

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
THANK YOU.

© 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

More Related Content

What's hot

Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)
Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)
Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)Real-Time Innovations (RTI)
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Real-Time Innovations (RTI)
 
Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020Lyra Infosystems Pvt. Ltd
 
Considerations for UC and cloud deployments
Considerations for UC and cloud deploymentsConsiderations for UC and cloud deployments
Considerations for UC and cloud deploymentsTodd Landry
 
Don't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't ScaleDon't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't ScaleReal-Time Innovations (RTI)
 
Data Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and TroubleshootingData Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and TroubleshootingGrant Swanson
 
Future Proofing your Data Center Network
Future Proofing your Data Center NetworkFuture Proofing your Data Center Network
Future Proofing your Data Center NetworkInnoTech
 
RTI DDS Intro with DDS Secure
RTI DDS Intro with DDS SecureRTI DDS Intro with DDS Secure
RTI DDS Intro with DDS SecureJohn Breitenbach
 
Transforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesTransforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesRehanShrivastav
 
Taking Control of SharePoint in the Cloud
Taking Control of SharePoint in the CloudTaking Control of SharePoint in the Cloud
Taking Control of SharePoint in the CloudSherWeb
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 

What's hot (20)

Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)
Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)
Right FACE! -- Welcoming FACE to RTI for their June 2013 Meeting (PDF)
 
ITSM Technology Trend
ITSM Technology Trend ITSM Technology Trend
ITSM Technology Trend
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)Four keys to securing distributed control systems and the industrial (IoT)
Four keys to securing distributed control systems and the industrial (IoT)
 
Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020Lyra Infosystems Services and Consulting Portfolio 2020
Lyra Infosystems Services and Consulting Portfolio 2020
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
 
Considerations for UC and cloud deployments
Considerations for UC and cloud deploymentsConsiderations for UC and cloud deployments
Considerations for UC and cloud deployments
 
Don't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't ScaleDon't Architect a Real-Time System that Can't Scale
Don't Architect a Real-Time System that Can't Scale
 
Data Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and TroubleshootingData Access Network for Monitoring and Troubleshooting
Data Access Network for Monitoring and Troubleshooting
 
Future Proofing your Data Center Network
Future Proofing your Data Center NetworkFuture Proofing your Data Center Network
Future Proofing your Data Center Network
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
Structural organization of LSA architecture
Structural organization of LSA architectureStructural organization of LSA architecture
Structural organization of LSA architecture
 
RTI DDS Intro with DDS Secure
RTI DDS Intro with DDS SecureRTI DDS Intro with DDS Secure
RTI DDS Intro with DDS Secure
 
Cisco DNA
Cisco DNACisco DNA
Cisco DNA
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
Soft Layer Q109 Media Kit
Soft Layer Q109 Media KitSoft Layer Q109 Media Kit
Soft Layer Q109 Media Kit
 
Transforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesTransforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan services
 
Taking Control of SharePoint in the Cloud
Taking Control of SharePoint in the CloudTaking Control of SharePoint in the Cloud
Taking Control of SharePoint in the Cloud
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 

Viewers also liked

Vancouver security road show master deck final
Vancouver   security road show master deck finalVancouver   security road show master deck final
Vancouver security road show master deck finalScalar Decisions
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task   Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task   Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 
Scalar Technical session - Network Functions Virtualization leveraging Brocade
Scalar Technical session - Network Functions Virtualization leveraging BrocadeScalar Technical session - Network Functions Virtualization leveraging Brocade
Scalar Technical session - Network Functions Virtualization leveraging BrocadeScalar Decisions
 
Scalar customer case study: Rainmaker Entertainment
Scalar customer case study: Rainmaker EntertainmentScalar customer case study: Rainmaker Entertainment
Scalar customer case study: Rainmaker EntertainmentScalar Decisions
 
Scalar Security Roadshow - Toronto Stop
Scalar Security Roadshow - Toronto StopScalar Security Roadshow - Toronto Stop
Scalar Security Roadshow - Toronto StopScalar Decisions
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Decisions
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
Scalar Decisions: Emerging Trends and Technologies in Storage
Scalar  Decisions: Emerging Trends and Technologies in StorageScalar  Decisions: Emerging Trends and Technologies in Storage
Scalar Decisions: Emerging Trends and Technologies in Storagepatmisasi
 
Cheops Technology sécurise ses datacenters avec IBM QRadar SIEM
Cheops Technology sécurise ses datacenters avec IBM QRadar SIEMCheops Technology sécurise ses datacenters avec IBM QRadar SIEM
Cheops Technology sécurise ses datacenters avec IBM QRadar SIEMSolutions IT et Business
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT InfrastructureScalar Decisions
 
Connect the Dots: Draw a Clear Picture of Social’s Impact on Business Results
Connect the Dots: Draw a Clear Picture of Social’s Impact on Business ResultsConnect the Dots: Draw a Clear Picture of Social’s Impact on Business Results
Connect the Dots: Draw a Clear Picture of Social’s Impact on Business ResultsSpredfast
 
Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6Scalar Decisions
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Decisions
 
Scalar Decisions 2013 Overview
Scalar Decisions 2013 OverviewScalar Decisions 2013 Overview
Scalar Decisions 2013 Overviewpatmisasi
 
Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...
Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...
Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...Thomas Wendt
 

Viewers also liked (20)

Vancouver security road show master deck final
Vancouver   security road show master deck finalVancouver   security road show master deck final
Vancouver security road show master deck final
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task   Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task   Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
 
Scalar Technical session - Network Functions Virtualization leveraging Brocade
Scalar Technical session - Network Functions Virtualization leveraging BrocadeScalar Technical session - Network Functions Virtualization leveraging Brocade
Scalar Technical session - Network Functions Virtualization leveraging Brocade
 
Alfa Tech VestAsia 2012
Alfa Tech VestAsia 2012Alfa Tech VestAsia 2012
Alfa Tech VestAsia 2012
 
Scalar customer case study: Rainmaker Entertainment
Scalar customer case study: Rainmaker EntertainmentScalar customer case study: Rainmaker Entertainment
Scalar customer case study: Rainmaker Entertainment
 
Scalar Security Roadshow - Toronto Stop
Scalar Security Roadshow - Toronto StopScalar Security Roadshow - Toronto Stop
Scalar Security Roadshow - Toronto Stop
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Scalar Decisions: Emerging Trends and Technologies in Storage
Scalar  Decisions: Emerging Trends and Technologies in StorageScalar  Decisions: Emerging Trends and Technologies in Storage
Scalar Decisions: Emerging Trends and Technologies in Storage
 
Cheops Technology sécurise ses datacenters avec IBM QRadar SIEM
Cheops Technology sécurise ses datacenters avec IBM QRadar SIEMCheops Technology sécurise ses datacenters avec IBM QRadar SIEM
Cheops Technology sécurise ses datacenters avec IBM QRadar SIEM
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT Infrastructure
 
12210943 pss7
12210943 pss712210943 pss7
12210943 pss7
 
Connect the Dots: Draw a Clear Picture of Social’s Impact on Business Results
Connect the Dots: Draw a Clear Picture of Social’s Impact on Business ResultsConnect the Dots: Draw a Clear Picture of Social’s Impact on Business Results
Connect the Dots: Draw a Clear Picture of Social’s Impact on Business Results
 
Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6Cloud Perspectives - Ottawa Seminar - Oct 6
Cloud Perspectives - Ottawa Seminar - Oct 6
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto Presentation
 
Scalar Decisions 2013 Overview
Scalar Decisions 2013 OverviewScalar Decisions 2013 Overview
Scalar Decisions 2013 Overview
 
Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...
Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...
Design Thinking: Beyond the Bounds of Your Own Head (a phenomenological persp...
 

Similar to Calgary security road show master deck final

Scalar - a brief introduction
Scalar - a brief introductionScalar - a brief introduction
Scalar - a brief introductionScalar Decisions
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri TobolaJan Fried
 
Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)
Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)
Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)jeckels
 
Developing a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC EventDeveloping a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC EventNexon Asia Pacific
 
Developing applications for the cloud
Developing applications for the cloudDeveloping applications for the cloud
Developing applications for the cloudBart Blommaerts
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
The road to clustered data ontap.
The road to clustered data ontap.The road to clustered data ontap.
The road to clustered data ontap.Scalar Decisions
 
The Cloud Foundry Story
The Cloud Foundry StoryThe Cloud Foundry Story
The Cloud Foundry StoryVMware Tanzu
 
Cloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to CloudCloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to CloudChristian Verstraete
 
Shedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingShedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingCipherCloud
 
Cybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platformCybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platformVertex Holdings
 
Cloud 2014: Top Five Best Practices for Your Application PaaS Audience
Cloud 2014: Top Five Best Practices for Your Application PaaS AudienceCloud 2014: Top Five Best Practices for Your Application PaaS Audience
Cloud 2014: Top Five Best Practices for Your Application PaaS AudienceRuma Sanyal
 
XL Deploy Demo Slides: Agentless Application Release Automation
XL Deploy Demo Slides: Agentless Application Release AutomationXL Deploy Demo Slides: Agentless Application Release Automation
XL Deploy Demo Slides: Agentless Application Release AutomationXebiaLabs
 
State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014Digital Realty
 
Blocking Viral SaaS Adoption is Blocking Innovation - Novosco & Amplipahe
Blocking Viral SaaS Adoption is Blocking Innovation - Novosco & AmplipaheBlocking Viral SaaS Adoption is Blocking Innovation - Novosco & Amplipahe
Blocking Viral SaaS Adoption is Blocking Innovation - Novosco & AmplipaheNovosco
 
Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014Peter Bookman
 
Cascade 10.5: Visibility & Control
Cascade 10.5: Visibility & ControlCascade 10.5: Visibility & Control
Cascade 10.5: Visibility & ControlRiverbed Technology
 
Meeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.EMeeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.ENuvollo
 
Nuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.ENuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.ENuvollo
 

Similar to Calgary security road show master deck final (20)

Scalar - a brief introduction
Scalar - a brief introductionScalar - a brief introduction
Scalar - a brief introduction
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri Tobola
 
Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)
Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)
Approaches for WebLogic Server in the Cloud (OpenWorld, September 2014)
 
Developing a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC EventDeveloping a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC Event
 
Developing applications for the cloud
Developing applications for the cloudDeveloping applications for the cloud
Developing applications for the cloud
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
The road to clustered data ontap.
The road to clustered data ontap.The road to clustered data ontap.
The road to clustered data ontap.
 
The Cloud Foundry Story
The Cloud Foundry StoryThe Cloud Foundry Story
The Cloud Foundry Story
 
Cloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to CloudCloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to Cloud
 
Shedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File SharingShedding Light on Shadow IT for File Sharing
Shedding Light on Shadow IT for File Sharing
 
iKariera 2015
iKariera 2015iKariera 2015
iKariera 2015
 
Cybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platformCybersecurity | Meta Networks: Software defined perimeter platform
Cybersecurity | Meta Networks: Software defined perimeter platform
 
Cloud 2014: Top Five Best Practices for Your Application PaaS Audience
Cloud 2014: Top Five Best Practices for Your Application PaaS AudienceCloud 2014: Top Five Best Practices for Your Application PaaS Audience
Cloud 2014: Top Five Best Practices for Your Application PaaS Audience
 
XL Deploy Demo Slides: Agentless Application Release Automation
XL Deploy Demo Slides: Agentless Application Release AutomationXL Deploy Demo Slides: Agentless Application Release Automation
XL Deploy Demo Slides: Agentless Application Release Automation
 
State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014
 
Blocking Viral SaaS Adoption is Blocking Innovation - Novosco & Amplipahe
Blocking Viral SaaS Adoption is Blocking Innovation - Novosco & AmplipaheBlocking Viral SaaS Adoption is Blocking Innovation - Novosco & Amplipahe
Blocking Viral SaaS Adoption is Blocking Innovation - Novosco & Amplipahe
 
Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014
 
Cascade 10.5: Visibility & Control
Cascade 10.5: Visibility & ControlCascade 10.5: Visibility & Control
Cascade 10.5: Visibility & Control
 
Meeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.EMeeting Nuvollo - La passerelle-I.D.E
Meeting Nuvollo - La passerelle-I.D.E
 
Nuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.ENuvollo and La passerelle-I.D.E
Nuvollo and La passerelle-I.D.E
 

More from Scalar Decisions

La transformation numérique de Scalar
La transformation numérique de ScalarLa transformation numérique de Scalar
La transformation numérique de ScalarScalar Decisions
 
2017 Scalar Security Study Summary
2017 Scalar Security Study Summary2017 Scalar Security Study Summary
2017 Scalar Security Study SummaryScalar Decisions
 
Scalar cloud study2016_slideshare
Scalar cloud study2016_slideshareScalar cloud study2016_slideshare
Scalar cloud study2016_slideshareScalar Decisions
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study RoadshowScalar Decisions
 
Résumé de l’étude sur la sécurité de Scalar 2016
Résumé de l’étude sur la sécurité de Scalar 2016Résumé de l’étude sur la sécurité de Scalar 2016
Résumé de l’étude sur la sécurité de Scalar 2016Scalar Decisions
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...Scalar Decisions
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Web scale with-nutanix_rev
Web scale with-nutanix_revWeb scale with-nutanix_rev
Web scale with-nutanix_revScalar Decisions
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
Scalar Case Study: Strong Project Management Helps McMaster University Succes...
Scalar Case Study: Strong Project Management Helps McMaster University Succes...Scalar Case Study: Strong Project Management Helps McMaster University Succes...
Scalar Case Study: Strong Project Management Helps McMaster University Succes...Scalar Decisions
 
Hyperconverged Infrastructure: The Leading Edge of Virtualization
Hyperconverged Infrastructure: The Leading Edge of VirtualizationHyperconverged Infrastructure: The Leading Edge of Virtualization
Hyperconverged Infrastructure: The Leading Edge of VirtualizationScalar Decisions
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsScalar Decisions
 
Where Technology Meets Medicine: SickKids High Performance Computing Data Centre
Where Technology Meets Medicine: SickKids High Performance Computing Data CentreWhere Technology Meets Medicine: SickKids High Performance Computing Data Centre
Where Technology Meets Medicine: SickKids High Performance Computing Data CentreScalar Decisions
 
Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Scalar Decisions
 
Scalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am Games
Scalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am GamesScalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am Games
Scalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am GamesScalar Decisions
 
Sheridan College: Scalar Customer Case Study
Sheridan College: Scalar Customer Case StudySheridan College: Scalar Customer Case Study
Sheridan College: Scalar Customer Case StudyScalar Decisions
 

More from Scalar Decisions (20)

La transformation numérique de Scalar
La transformation numérique de ScalarLa transformation numérique de Scalar
La transformation numérique de Scalar
 
Digital Transformation
Digital TransformationDigital Transformation
Digital Transformation
 
2017 Scalar Security Study Summary
2017 Scalar Security Study Summary2017 Scalar Security Study Summary
2017 Scalar Security Study Summary
 
Scalar cloud study2016_slideshare
Scalar cloud study2016_slideshareScalar cloud study2016_slideshare
Scalar cloud study2016_slideshare
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow
 
Résumé de l’étude sur la sécurité de Scalar 2016
Résumé de l’étude sur la sécurité de Scalar 2016Résumé de l’étude sur la sécurité de Scalar 2016
Résumé de l’étude sur la sécurité de Scalar 2016
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Web scale with-nutanix_rev
Web scale with-nutanix_revWeb scale with-nutanix_rev
Web scale with-nutanix_rev
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Cloudforms Workshop
Cloudforms WorkshopCloudforms Workshop
Cloudforms Workshop
 
Scalar Case Study: Strong Project Management Helps McMaster University Succes...
Scalar Case Study: Strong Project Management Helps McMaster University Succes...Scalar Case Study: Strong Project Management Helps McMaster University Succes...
Scalar Case Study: Strong Project Management Helps McMaster University Succes...
 
XtremIO
XtremIOXtremIO
XtremIO
 
Hyperconverged Infrastructure: The Leading Edge of Virtualization
Hyperconverged Infrastructure: The Leading Edge of VirtualizationHyperconverged Infrastructure: The Leading Edge of Virtualization
Hyperconverged Infrastructure: The Leading Edge of Virtualization
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
 
Where Technology Meets Medicine: SickKids High Performance Computing Data Centre
Where Technology Meets Medicine: SickKids High Performance Computing Data CentreWhere Technology Meets Medicine: SickKids High Performance Computing Data Centre
Where Technology Meets Medicine: SickKids High Performance Computing Data Centre
 
Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015Cyber Security trends and tactics for 2015
Cyber Security trends and tactics for 2015
 
Scalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am Games
Scalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am GamesScalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am Games
Scalar Customer Case Study: Toronto 2015 Pan Am/Parapan Am Games
 
Sheridan College: Scalar Customer Case Study
Sheridan College: Scalar Customer Case StudySheridan College: Scalar Customer Case Study
Sheridan College: Scalar Customer Case Study
 

Calgary security road show master deck final

  • 1. Security Road Show - Calgary © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 2.  9:00am – 9:15am Welcome  9:15am – 9:45am Palo Alto Networks – You can’t control what you can’t see!  9:45am – 10:15am F5 – Protect your web applications  10:15am – 10:30am Break  10:30am – 11:00am Splunk – Big data, next generation SIEM  11am – 11:30am Infoblox – Are you fully prepared to withstand DNS attacks?  11:30am - 12:00pm Closing remarks, Q&A  12:00pm – 12:30pm Boxed Lunches © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 3.  Today’s Speakers – Geoff Shukin – Palo Alto Networks – Clayton Sopel – F5 – Menno Vanderlist – Splunk – Ed O’Connell- Infoblox © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 4. Founded in 2004 $125M in CY13 Revenues Nationwide Presence 120 Employees Nationwide 25% Growth YoY Toronto | Vancouver Ottawa | Calgary | London Greater than 1:1 technical:sales ratio Background in architecting mission-critical data centre infrastructure © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 5.  The country’s most skilled IT infrastructure specialists, focused on security, performance and control tools  Delivering infrastructure services which support core applications © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 6. WHY SCALAR? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 7. Experience Innovation Execution © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 8.  Top technical talent in Canada – Engineers average 15 years’ experience  We train the trainers – Only Authorized Training Centre in Canada for F5, Palo Alto Networks, and Infoblox  Our partners recognize we’re the best – Brocade Partner of the Year – Innovation – Cisco Partner of the Year – Data Centre & Virtualization – VMware Global Emerging Products Partner of the Year – F5 Canadian Partner of the Year – Palo Alto Networks Rookie of the Year – NetApp Partner of the Year - Central © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 9.  Unique infrastructure solutions designed to meet your needs – StudioCloud – HPC & Trading Systems  Testing Centre & Proving Grounds – Ensuring emerging technologies are hardened, up to the task of Enterprise workloads  Vendor Breadth – Our coverage spans Enterprise leaders and Emerging technologies for niche workloads & developing markets © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 10. “Scalar […] has become our trusted advisor for architecting and implementing our storage, server and network infrastructure across multiple data centres” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 11. “We’ve basically replaced our infrastructure at a lower cost than simply the maintenance on our prior infrastructure […] At the same time, we’ve improved performance and reduced our provisioning time” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 12. “Numerous technologies needed to converge to make VDI a reality for us. The fact that Scalar is multidisciplinary and has deep knowledge around architecture, deployment and management of all of these technologies was key” © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 13. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 14. PALO ALTO NETWORKS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 15. Palo Alto Networks Controlling Threats Geoff Shukin, Senior SE Palo Alto Networks #netgun © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 16. context |ˈkänˌtekst| noun the circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed 14 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 17. action intelligence context 15 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 18. slideshare-uploading application function slideshare roadmap.pdf application file name HTTP file-sharing protocol URL category SSL canada protocol destination country 172.16.1.10 tcp/443 64.81.2.23 source IP destination port destination IP pdf file type prodmgmt group bjacobs user 344 KB 16 | ©2014, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 19. exe file type finance group fthomas user web-browsing shipment.exe application file name HTTP unknown protocol URL category SSL china protocol destination country 344 KB 172.16.1.10 tcp/443 64.81.2.23 source IP destination port destination IP 17 | ©2014, Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 20. Hides within SSL New domain, no reputation Payload evades AV C2 hides using nonstandard ports Exploit Kit Contact New Domain ZeroAccess Delivered C2 Established Data Stolen Custom C2 & Hacking Spread Laterally Secondary Payload Exfiltration via RDP & FTP No signature for custom malware Hides in plain sight Payload evades C2 signatures 18 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 21.  Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics  Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures  Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base 19 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 22. All Applications, All Attack Vectors, All Threats Datacenter • Validate business applications & users • Find rogue/misconfigured apps • High speed threat prevention Gateway • Visibility into all traffic • Enable apps to reduce exposure • Block known/unknown threats Segmentation • Isolate critical data, business functions • Enable applications based on users • Block known/unknown threats 20 | ©2014 Palo © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Alto Networks. Confidential and Proprietary.
  • 23. Advanced threat Commodity threats Organized cybercrime Nation state (very common, easily identified) (More customized exploits and malware) (Very targeted, persistent, creative)  Mostly addressed by traditional AV and IPS  Somewhat more sophisticated payloads  Low sophistication, slowly changing  Evasion techniques often employed  Comprehensive investigation after an indicator is found  Machine vs. machine Intelligent and continuous monitoring of passive network-based and host-based sensors    Highly coordinated response is required for effective prevention and remediation Sandboxing and other smart detection often required © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 24.  Evolving from incident response mindset to intelligence mindset  No intelligence exists without visibility  Applying the intelligence and resulting IOCs to the kill chain  Sharing what you know © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 25.  It’s a campaign, not just an attack  Appreciate and utilize the intelligence cycle Security stack • • • • • • Intelligence Cycle Block an IP address Block a URL Block a session Block a known virus Heuristically block spam Block bad attachments {A, • • • • • • • B, C, D, E, F, G, H, I, J, K, L, M, N, O} Recons by A, B and C Builds this kind of weapon: D Delivers the weapon by E, F and G Exploits the network by H and I Installs itself by J Establishes C2 by K, L and M Performs N and O on the objective © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 26.  You don’t have intelligence if you don’t have visibility  Visibility required across the whole network  Ideally, you can see and understand applications, content, and users  Then make sense of what you see © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 27. 1. Changes driven by “location” – Where’s the user? – Where’s the app? – Where’s the server? 2. Changes driven by security evolution – Who and where is the attacker? – What is their level of sophistication? – What are their motives? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 28. Users are moving off the network © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 29. Apps are moving off the network © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 30. Servers are moving to private and public clouds Verizon Cloud BETA © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 31. Traffic is moving off the network Verizon Cloud BETA © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 32. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 33.  Visibility provides intelligence around the indicators of compromise (IOC)  IOCs applied to the kill chain provide actionability  Highly automated kill chain © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 34. Traditional Sandbox-based Anti-malware IPS (C&C) detection detection signature signature generation generation DNS (C&C) signature generation © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Malware URL list generation
  • 35.  In the cyber security battle, sharing is key  Three ways this is happening 1. External – industry initiatives 2. External – technology partnerships 3. Internal – your security technology should leverage the network © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 36.  Automatic detection in real time in private or public cloud  Automatic generation of several defensive measures  Automatic distribution of defensive measures to all WildFire customers within 30 minutes after initial detection  Automatic installation of defensive measures provides full prevention immediately  You benefit from the threat intelligence of 2,500+ organizations across the industry © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 37. F5 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 38. CONFIDENTIAL F5 Security for an application driven world
  • 39. F5 Provides Complete Visibility and Control Across Applications and Users Users Resources DNS Web Access Intelligent Dynamic Threat Defense Services DDoS Protection Platform Protocol Security Network Firewall TMOS Securing access to applications from anywhere © F5 Networks, Inc Protecting your applications regardless of where they live CONFIDENTIAL 38
  • 41. Attack Type Spear Phishing Physical Access XSS Size of circle estimates relative impact of incident in terms of cost to business May June July Aug Sep Oct Nov Dec 2012 © F5 Networks, Inc CONFIDENTIAL 40
  • 42. Bank Bank Bank Industrial Non Profit Non Profit Bank Bank Auto Gov Online Services Gov Industrial Online SVC EDU Bank Bank Gov Online SVC Edu Online Services News & Media Edu News & Media Utility Software Edu Online Services Cnsmr Electric Telco Food Service Telco Bank Online Services Bank Bank Cnsmr Electric Jan Feb Mar Bank Cnsmr Elec Education Online Services Online Services Software Online Services DNS Provider Online Services Auto Gov Gov DNS Provider Health Gov Software Util May Global Delivery Unknown Online Services Gov Gov Physical Access Edu DNS Provider Gov Auto DNS Provider Auto Gov Online Services Apr Online Services Online Services Online Svcs DNS Provider News & Media Gov Online Services Bank Telco Auto Gaming Retail Online Services Spear Phishing Retail Industrial Online Services Bank Airport Attack Type Online Services Entnment Gov Bank Telco Gov Gov Banking NonProfit Bank Online Services Online Gaming News & Media Edu Gov Bank Software News & Media Bank News & Media News & Media Gov Food E-comm Svc Online Services Bank Online Services Bank Online Services Gov Gov News & Media Telco Bank Software News & Media Software Bank Edu Utility Bank Online Services Online Svc Consumer Electric Online SVC Gov Gove News & Media Online Svc Non Profit Consumer Electronics News & Media Gov Size of circle estimates relative impact of incident in terms of cost to business Jun 2013 © F5 Networks, Inc CONFIDENTIAL 41
  • 43. More sophisticated attacks are multi-layer Application SSL DNS Network © F5 Networks, Inc CONFIDENTIAL 42
  • 44. The business impact of DDoS The business impact of DDoS © F5 Networks, Inc Cost of corrective action CONFIDENTIAL Reputation management 43
  • 45. OWASP Top 3 Application Security Risks 1 - Injection Injection flaws, such as SQL and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing data. 2 – Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to comprimise passwords, keys or session tokens to assume another users’ identity. 3 – Cross Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victims browser to hijack user sessions, deface web sites or redirect the user. Reference: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf © F5 Networks, Inc CONFIDENTIAL 44
  • 47. Full Proxy Security Client / Server Client / Server Web application Web application Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical Application health monitoring and performance anomaly detection HTTP proxy, HTTP DDoS and application security © F5 Networks, Inc CONFIDENTIAL 46
  • 48. The F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process) © F5 Networks, Inc CONFIDENTIAL 47
  • 49. Positive vs Negative • Positive Security • Known good traffic • Permit only what is defined in the security policy (whitelisting). • Block everything else • Negative • Known-bad traffic • Pattern matching for malicious content using regular expressions. • Policy enforcement is based on a Positive security logic • Negative security logic is used to complement Positive logic. © F5 Networks, Inc CONFIDENTIAL 48
  • 50. How Does It Work? Security at application, protocol and network level Request made Security policy checked Content scrubbing Application cloaking Enforcement Response delivered Server response Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. © F5 Networks, Inc CONFIDENTIAL 49
  • 51. Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters 6 Then for each parameter we will check for for value length will checkmaxmax value length 7 Then scan each parameter, the URI, the headers © F5 Networks, Inc GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44rn Connection: keep-alivern User-Agent: Mozilla/5.0 (Windows NT 6.1)rn Accept:text/html,application/xhtml+xml,application/xml;q=0.9rn Referer: http://172.29.44.44/search.php?q=datarn Accept-Encoding: gzip,deflate,sdchrn Accept-Language: en-GB,en-US;q=0.8,en;q=0.6rn Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3rn Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; rn CONFIDENTIAL 50
  • 52. Automatic HTTP/S DOS Attack Detection and Protection • Accurate detection technique—based on latency • • Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers © F5 Networks, Inc CONFIDENTIAL 51
  • 53. To Simplify: Application-Oriented Policies and Reports © F5 Networks, Inc CONFIDENTIAL 52
  • 54. IP INTELLIGENCE Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymou s requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc CONFIDENTIAL 53
  • 55. Built for intelligence, speed and scale Users Resources Concurrent user sessions 100K Concurrent logins 1,500/sec. Throughput 640 Gbps Concurrent connections 288 M DNS query response 10 M/sec SSL TPS (2K keys) 240K/sec Connections per second 8M
  • 56. Application Delivery Firewall Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security Products Advanced Firewall Manager Local Traffic Manager Application Security Manager • Stateful full-proxy firewall • #1 application delivery controller • Leading web application firewall • Flexible logging and reporting • Application fluency • Access Policy Manager PCI compliance • Native TCP, SSL and HTTP proxies • Network and Session anti-DDoS • App-specific health monitoring • Virtual patching for vulnerabilities • HTTP anti-DDoS • • Dynamic, identitybased access control • Simplified authentication infrastructure IP protection • Endpoint security, secure remote access Global Traffic Manager & DNSSEC • Huge scale DNS solution • Global server load balancing • Signed DNS responses • Offload DNS crypto iRules extensibility everywhere © F5 Networks, Inc CONFIDENTIAL 55
  • 57. Explore The F5 DDoS Protection Reference Architecture f5.com/architectures © F5 Networks, Inc CONFIDENTIAL 56
  • 58. Summary • Customers invest in network security, but most significant threats are at the application layer • Current security trends – BYOD, Webification – mean you need to be even more aware of who and what can access application data • A full proxy device is inherently secure, and coupled with high performance can overcome many security challenges • F5 Application Delivery Firewall brings together the traditional network firewall with application centric security, and can understand the context of users, devices and access © F5 Networks, Inc CONFIDENTIAL 57
  • 59.
  • 60. BREAK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 61. SPLUNK © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 62. Copyright © 2014 Splunk Inc. Splunk for Security Intelligence
  • 63. Make machine data accessible, usable and valuable to everyone. 63
  • 64. The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, Machine data is fastest growing, most RFID, Hypervisor, complex, most valuable area of big data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops 64
  • 65. The Splunk Security Intelligence Platform Security Use Cases Machine Data Online Services Forensic Investigation Web Services Security Security Operations Compliance Fraud Detection GPS Location Servers Packaged Applications Networks Desktops Storage Messaging Telecoms Custom Applications RFID Energy Meters Online Shopping Cart Databases Web Clickstreams Call Detail Records HA Indexes and Storage Smartphones and Devices 4 Commodity Servers
  • 66. Rapid Ascent in the Gartner SIEM Magic Quadrant 2011 2012 66 2013
  • 67. Industry Accolades Best SIEM Solution Best Enterprise Security Solution 67 Best Security Product
  • 68. Over 2800 Global Security Customers 68
  • 69. Splunk Security Intelligence Platform 120+ security apps Splunk App for Enterprise Security Palo Alto Networks Cisco Security Suite OSSEC F5 Security FireEye NetFlow Logic Active Directory Juniper 69 Blue Coat Proxy SG Sourcefire
  • 70. Partner Ecosystem What is the Value Add to Existing Customers? Visibility and Correlation of Rich Data Improved Security Posture Configurable Dashboard Views
  • 71. All Data is Security Relevant = Big Data Databases Email Web Desktops Servers DHCP/ DNS Network Flows Traditional SIEM Custom Apps Hypervisor Badges Firewall Authentication Vulnerability Scans Storage Mobile Data Loss Intrusion Detection Prevention AntiMalware Service Desk Call Industrial Control Records
  • 72. Making Sound Security Decisions Binary Data (flow and PCAP) Log Data Security Decisions Threat Intelligence Feeds Context Data Volume Velocity Variety 72 Variability
  • 73. Case #1 - Incident Investigation/Forensics January • May be a “cold case” investigation requiring machine data going back months March Often initiated by alert in another product • February • Need all the original data in one place and a fast way to search it to answer: – What happened and was it a false positive? – How did the threat get in, where have they gone, and did they steal any data? – • client=unknown[ 99.120.205.249] <160>Jan 2616:27 (cJFFNMS truncating integer value > 32 bits <46>Jan ASCII from client=unknow n Has this occurred elsewhere in the past? Take results and turn them into a real-time search/alert if needed DHCPACK =ASCII from host=85.19 6.82.110 73 April
  • 74. Case #2 – Real-time Monitoring of Known Threats Sources Example Correlation – Data Loss 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Default Admin Account Status=Degradedwmi_ type=UserAccounts Source IP Windows Authentication Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Malware Found Source IP CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Endpoint Security Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text Source IP [Priority: 2]: Data Loss Intrusion Detection All three occurring within a 24-hour period Time Range 74
  • 75. Case #3 – Real-time Monitoring of Unknown Threats Sources Example Correlation - Spearphishing User Name 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1 ,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z Email Server Rarely seen email domain Rarely visited web site 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe," User Name Web Proxy Endpoint Logs User Name 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type"" Rarely seen service All three occurring within a 24-hour period Time Range 75
  • 76. $500k Security ROI @ Interac • Challenges: Manual, costly processes – Significant people and days/weeks required for incident investigations. $10k+ per week. – No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel – Traditional SIEMs evaluated were too bloated, too much dev time, too expensive Enter Splunk: Fast investigations and stronger security – – – – Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts Splunk reduced investigation time to hours. Reports can be created in minutes. Real-time correlations and alerting enables fast response to known and unknown threats ROI quantified at $500k a year. Splunk TCO is less than 10% of this. “ “ • Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see. Josh Diakun, Security Specialist, Information Security Operations 7 6
  • 77. Replacing a SIEM @ Cisco • Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team – – – – – Easy to index any type of machine data from any source Over 60 users doing investigations, RT correlations, reporting, advanced threat detection All the data + flexible searches and reporting = empowered team 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data Estimate Splunk is 25% the cost of a traditional SIEM “ We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. “ • Gavin Reid, Leader, Cisco Computer Security Incident Response Team 7 7
  • 78. Security and Compliance @ Barclays Challenges: Unable to meet demands of auditors – – – – • Scale issues, hard to get data in, and impossible to get data out beyond summaries Not optimized for unplanned questions or historical searches Struggled to comply with global internal and external mandates, and to detect APTs Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting Enter Splunk: Stronger security and compliance posture – – – – Fines avoided as searches easily turned into visualizations for compliance reporting Faster investigations, threat alerting, better risk measurement, enrichment of old data Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers Other teams using Splunk for non-security use cases improves ROI “ We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk. “ • Stephen Gailey, Head of Security Services 7 8
  • 79. Splunk Key Differentiators • • • • • • • Splunk Single product, UI, data store Traditional SIEM Software-only; install on commodity hardware Quick deployment + ease-of-use = fast time-to-value Can easily index any data type All original/raw data indexed and searchable Big data architecture enables scale and speed Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies • Open platform with API, SDKs, Apps • Use cases beyond security/compliance 79
  • 80. For your own AHA! Moment Reach out to your Scalar and Splunk team for a demo Thank you!
  • 81. INFOBLOX © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 82. Are you prepared to withstand DNS attacks? Ed O’Connell, Senior Product Marketing Manager © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 83. Infoblox Overview DNS Security Challenges Securing the DNS Platform Defending Against DNS Attacks Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 84. Total Revenue Founded in 1999 (Fiscal Year Ending July 31) Headquartered in Santa Clara, CA with global operations in 25 countries $250 Leader in technology for network control $200 ($MM) $225.0 $169.2 Market leadership $150 $132.8 • Gartner “Strong Positive” rating • 40%+ Market Share (DDI) $102.2 $100 6,900+ customers, 64,000+ systems shipped $56.0 $50 $61.7 $35.0 38 patents, 25 pending IPO April 2012: NYSE BLOX $0 FY2007 FY2008 FY2009 FY2010 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience FY2011 FY2012 FY2013
  • 85. VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS NETWORK INFRASTRUCTURE CONTROL PLANE APPS & END-POINTS END POINTS Infrastructure Security Historical / Real-time Reporting & Control Infoblox GridTM w/ Real-time Network Database FIREWALLS SWITCHES ROUTERS WEB PROXY © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience LOAD BALANCERS
  • 86. DNS is the cornerstone of the Internet used by every business/ Government DNS as a Protocol is easy to exploit Traditional protection is ineffective against evolving threats DNS outage = business downtime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 87. 1 Securing the DNS Platform 2 Defending Against DNS Attacks 3 Preventing Malware from using DNS © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 88. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 89. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 90. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 91. – Many open ports subject to attack – Users have OS-level account privileges on server – No visibility into good vs. bad traffic – Requires time-consuming manual updates – Requires multiple applications for device management © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Multiple Open Ports
  • 92.  Minimal attack surfaces  Active/Active HA & DR recovery  Centralized management with role-based control  Tested & certified to highest Industry standards  Secured Access, communication & API  Secure Inter-appliance Communication  Detailed audit logging  Fast/easy upgrades © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 93.  No scripts / Auto-Resigning / 1-click  Central configuration of all DNSSEC parameters  Automatic maintenance of signed zones © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 94. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 95. ~ 10% of infrastructure attacks targeted DNS ACK: 2.81% ICMP: 9.71% RESET: 1.4% CHARGEN: 6.39% SYN: 14.56% RP: 0.26% FIN PUSH: 1.28% DNS: 9.58% SYN PUSH: 0.38% TCP FRAGMENT: 0.13% UDP FRAGMENT: 17.11% UDP FLOODS: 13.15% Source: Prolexic Quarterly Global DDoS Attack Report Q4 2013 ~ 80% of organizations surveyed experienced application layer attacks on DNS HTTP 82% DNS 77% SMTP 25% HTTPS 54% SIP/VOIP 20% IRC 6% Other 9% 0% 20% 40% 60% Survey Respondents 80% 100% © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Source: Arbor Networks
  • 96. Distributed Reflection DoS Attack (DrDoS) How the attack works  Combines Reflection and Amplification  Use third-party open resolvers in the Internet (unwitting accomplice) Internet  Attacker sends small spoofed packets to the open recursive servers, requesting a large amount of data to be sent to the victim’s IP address  Uses multiple such open resolvers, often thousands of servers Attacker  Queries specially crafted to result in a very large response  Causes DDoS on the victim’s server Target Victim © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 97. Legitimate Traffic Block DNS attacks Infoblox Advanced DNS Protection (External DNS) Data for Reports Infoblox Threat-rule Server Automatic updates Infoblox Advanced DNS Protection (Internal DNS) Reporting Server Reports on attack types, severity © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 98. DNS reflection/DrDoS attacks DNS amplification Using third-party DNS servers(open resolvers) to propagate a DOS or DDOS attack Using a specially crafted query to create an amplified response to flood the victim with traffic DNS-based exploits Attacks that exploit vulnerabilities in the DNS software TCP/UDP/ICMP floods Denial of service on layer 3 by bringing a network or service down by flooding it with large amounts of traffic DNS cache poisoning Corruption of the DNS cache data with a rogue address Protocol anomalies Reconnaissance DNS tunneling Causing the server to crash by sending malformed packets and queries Attempts by hackers to get information on the network environment before launching a DDoS or other type of attack Tunneling of another protocol through DNS for data exfiltration © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 99. EXTERNAL INTERNAL INTRANET INTERNET Advanced DNS Protection Advanced DNS Protection GRID Master and Candidate (HA) DATACENTER Advanced DNS Protection CAMPUS/REGIONAL Advanced DNS Protection DMZ INTRANET Grid Master and Candidate (HA) DATACENTER CAMPUS/REGIONAL © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Endpoints
  • 100. Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 101. 2014 2013 Q2 Q3 Q4 © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience Q1
  • 102. Cryptolocker “Ransomware”  Targets Windows-based computers  Appears as an attachment to legitimate looking email  Upon infection, encrypts files: local hard drive & mapped network drives  Ransom: 72 hours to pay $300US  Fail to pay and the encryption key is deleted and data is gone forever  Only way to stop (after executable has started) is to block outbound connection to encryption server © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 103. Infoblox Malware Data Feed Service 1 4 2 Malicious domains IPs, Domains, etc. of Bad Servers 2 Malware / APT An infected device brought into the office. Malware spreads to other devices on network. Malware makes a DNS query to find “home.” (botnet / C&C). Detect & Disrupt. DNS Firewall detects & blocks DNS query to malicious domain Internet Intranet Infoblox DDI with DNS Firewall Blocked attempt sent to Syslog 1 2 3 Pinpoint. Infoblox Reporting lists 3 blocked attempts as well as the: • • • • • IP address MAC address Device type (DHCP fingerprint) Host name DHCP lease history DNS Firewall is updated every 2 4 hours with blocking information from Infoblox DNS Firewall Subscription Svc Malware / APT spreads within network; Calls home © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 104. Malicious Domains 1 Detect - FireEye detects APT, alerts are sent to Infoblox. Malware Internet 2 2 Disrupt – Infoblox DNS Firewall disrupts malware DNS communication Intranet Infoblox DDI with DNS Firewall 3 Pin Point - Infoblox Reporting 3 Alerts 1 Endpoint Attempting To Download Infected File Blocked attempt sent to Syslog provides list of blocked attempts as well as the • • • • • IP address MAC address Device type (DHCP fingerprint) DHCP Lease (on/off network) Host Name FireEye NX Series FireEye detonates and detects malware © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 105. Fast Flux Rapidly changing of domains & IP addresses by malicious domains to obfuscate identity and location APT / Malware Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack (FireEye) DNS Hacking Hacking DNS registry(s) & re-directing users to malicious domain(s) Geo-Blocking Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 106. DNS is the cornerstone of the Internet Unprotected DNS infrastructure introduces security risks Infoblox DNS Firewall Prevents Malware/APT from Using DNS Infoblox Advanced DNS Protection Defend Against DNS Attacks Hardened Appliance & OS Secure the DNS Platform Secure DNS Solution protects critical DNS services © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 107. Thank you! For more information www.infoblox.com © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 108. Why Scalar for Security? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 109. The Issues  Integration of Security Technologies  Staffing  Vulnerabilities  Advanced threats © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 110. The Issues  Integration of Security Technologies is Challenging – Multiple formats of data – Data timing issues – Different types of security controls – Other data types © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 111. The Issues  InfoSecurity Staff – Different skills requirements ﹘ Architects ﹘ Malware Handling ﹘ Forensics ﹘ Vulnerability ﹘ Incident Management ﹘ Risk and Compliance – HR Costs ﹘ Premium technical personnel ﹘ Analysts, Specialists ﹘ Training and certification © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 112. The Issues  Vulnerabilities – Regular scheduled disclosures – Large volumes of ad-hoc patches – Many undisclosed zero days – Remediation is a continuous process © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 113. The Issues  Advanced Threats – Advanced Persistent Threats – Imbedded threats  Who? – State sponsored – Hactivism – Hackers – Organized crime © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 114. How to Secure It  State-of-the-art Security Technologies  Skills on Demand – Continuous Tuning of Rules and Filters – Cyber Intelligence, Advanced Analytics – Cyber Incident Response – Code Review, Vulnerability and Assessment Testing © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 115. WRAP/QUESTIONS? © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience
  • 116. THANK YOU. © 2014 Scalar Decisions Inc. Not for distribution outside of intended audience

Editor's Notes

  1. Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies &amp; adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical &amp; sales certifications with leading security companies including McAfee, Cisco.Key Partners &amp; Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection &amp; DefenceThe first line of defence is to stop unwanted intrusions &amp; attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS &amp; IP address properties and control user activity while ensuring speed and performance are maintained. Incident &amp; Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective &amp; coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff &amp; training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment &amp; Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize &amp; rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
  2. Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies &amp; adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical &amp; sales certifications with leading security companies including McAfee, Cisco.Key Partners &amp; Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection &amp; DefenceThe first line of defence is to stop unwanted intrusions &amp; attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS &amp; IP address properties and control user activity while ensuring speed and performance are maintained. Incident &amp; Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective &amp; coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff &amp; training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment &amp; Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize &amp; rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
  3. Growth Recognized on the PROFIT list of the fastest-growing companies in Canada for the last four years (since we became eligible in year 5 of our business). In 2013, we were 94 on the overall list, but 15 within the IT industry, and one of the highest-revenue companies overall.Canadian company with nationwide presenceNumber 15 on the CDN List of Top 100 Solution ProvidersAlso named #46 on Branham300 of Canada’s leading ICT companiesWe have a deep technical bench, we are not a call centre shipping product, we position ourselves as an extension of your business, and have the team in place to back this upThough Scalar is in its 10th fiscal year, our founders have been doing this since 1990 when they were running Enterprise Technology Group (ETG). Since then that team has delivered over $1BN in mission-critical infrastructure.
  4. Core infrastructure is our background, our experience, and the primary focus of what we do – it underpins our business.As infrastructure has changed with the industry to be spread across public, private, hybrid etc, our customer needs have changed, and therefore so does our portfolio and focus. Today, we focus on building core infrastructure and then assisting our clients in securing it, ensuring it is running well (performance), and managing it (control).Though core infrastructure is the delivery vehicle for all applications, we do not deal at the application layer – We deal with security, performance, and control only as they relate to core infrastructure. This focus allows us to be the very best at what we do.We answer the questions:Core Infrastructure – How to Build It?Security – How to secure it?Performance – How is it running?Control – How to manage it?
  5. Feel free to remove these section cover-slides
  6. Also: Dedicated PMO, finance, inside sales and operations teams. Every team in our organization is the best at what they do.It’s difficult to prove experience on a powerpoint slide. Take a meeting with us and we’ll show you how our technical team is world-class.
  7. Unique infrastructure solutions designed to meet your needsA great example is StudioCloud. When our media customers came to us with a problem, we developed an entirely new way for them to do business. We didn’t attempt to sell them more compute, or optimize their individual environments – we helped them form a coalition and a community cloud that allows them to pay for servers on an as-needed basis, and sub-lease to other companies in our cloud when they have excess capacityWhether it’s a product-based solution, a professional service, or a managed service, we deliver the solution.Testing Centre &amp; Proving GroundsWe train our engineers to be constantly evaluating and testing emerging vendors in our in-house testing centre. We offer fresh, cutting-edge technologies to our customers, while at the same time ensuring we have vetted, tested, and trained in those technologies. We offer leading-edge technologies that we KNOW are up to the task of Enterprise environments.Vendor BreadthWe offer both current and future market leaders in our portfolio.
  8. Execution is difficult to demonstrate on a slide, so instead we’ve decided to show you what some our customers have said about us.Our tagline says it all – We Deliver. This is not “marketing speak” but the foundation of our business. Our commitment is first and foremost to our customers and we strive to become a trusted advisor and an extension of your business. This does not happen overnight, but rather through proving ourselves again and again. We are dedicated to finding the right solution for your business needs and delivering it to you efficiently and effectively.
  9. You may wish to switch some of these out depending on the specific messaging of your presentation. See appendix slides for more logos that you can copy and paste in. Please try not to have more than 12-15 logos on the slide overall.
  10. Context has many applications. Without context, a question from a colleague may sound like gibberish. With the appropriate context, the nonsensical begins to make sense.
  11. ANIMATED SLIDE - practice344 KB. Somewhat meaningless. Sure, its roughly 1/3 of a MB, but so what. &lt;click&gt; traditional security will give you info on the IP addresses, and the port. So now you have a bit more context, but not much more. Its something going across port 443. may or may not be using SSL. But what else do you know? &lt;click&gt; But what if you had who the user was, which group they are in?&lt;click&gt; and wouldn’t the actual protocol be helpful? &lt;click&gt; and the application, and possibly the function in use? &lt;click&gt; the file type and file nameThe context of the traffic being observed is more meaningful, allowing you to make more intelligent decisions, respond more rapidly to security incidents, generate more complete reports. Think about what you can do, from a security perspective, with this data.
  12. ANIMATED SLIDE – practice!Or perhaps the 344 KB is more suspicious? &lt;click&gt; What if the 344 KB was a file being downloaded to the CFOs desktop from an unknown URL registered in China?The context of the 344 KB again, becomes far more meaningful. And in this case, the context may mean that more aggressive action needs to be taken.
  13. Now lets look at a more real world example of the value of context. Todays cyberattacks are considerably more sophisticated than the attacks that one would expect to see even a few years ago. Most of these attacks will leverage multiple steps, in which each step builds on the previous toward a strategic goal. Multiple techniques are coordinated to work together, and the attackers attempt to hide their traffic and infrastructure whenever possible. This example walks through the very common steps of a modern data breach.First the user is enticed to click to see the pretty cat video. Enticement has become easy due to the unprecedented level of trust that social media has built. &lt;click&gt; when the unsuspecting user clicks, in the background, the exploit kit is downloaded.&lt;click&gt; Once delivered, the exploit calls a new URL with no reputation&lt;click&gt; from that new URL, the complete piece of malware is pulled down&lt;click&gt; its installed in the background, established a connection and C2 traffic begins. &lt;click&gt; a secondary payload may be pulled down, then spreads laterally&lt;click&gt; once the malware finds an attractive target, C2 is re-established and the exfiltration begins&lt;click&gt; making the challenge of stopping this attack becomes more significant when you realize that it uses SSL, contacts new URLs that are spun up/taken down instantly, uses AV evasion techniques, communications using UDP and non-standard ports, pulls down added payload, spreads internally hiding in plain sight mimicking traffic patterns on your network, then begins exfiltration using applications commonly found on your network.
  14. Our platform is unique in its ability to natively classify and inspect all traffic, inclusive of applications, threats and content. And then we tie that traffic to the user, regardless of location or device type. Box 1: We scan ALL applications (including SSL traffic) to secure all avenues in/out of a network, applying positive control model security in order to reduce the attack surface area, and provide context for forensicsBox 2: Prevents attacks across ALL attack vectors (exploit, malware, DNS, command &amp; control, and URL) with content-based signaturesBox 3 and feedback loop:Detects zero day malware &amp; exploits using public/private cloud and automatically creates signatures for global customer baseOur approach is applicable across the network. At the gateway, in the datacenter, for segmentation and for carriers.
  15. Unique to our platform is a traffic classification that natively inspects all traffic, inclusive of applications, threats and content, then ties that traffic to the user, regardless of location or device type. Box 1: Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensicsBox 2: Prevents attacks across ALL attack vectors (exploit, malware, DNS, command &amp; control, and URL) with content-based signaturesBox 3 and feedback loop:Detects zero day malware &amp; exploits using public/private cloud and automatically creates signatures for global customer baseOur approach is applicable across the network. At the gateway, in the datacenter, for segmentation and for carriers. For carriers, they are going to use a mix of the features across the listed use cases. * protect customers from each other and carriers from customers* robust availability* scale to aggregate customer feeds
  16. Let me start with the well worn topic on the evolving threat landscapeI wanted to start here as we have all seen this and it is talked about everywhereIt’s time to turn the page on this and discuss what does it mean to be secure in the cyber world as opposed to what it means to be insecureIn other words, if we understand the problem, what’s the solution and what do we have today and what do we need to get thereAlong the way I’ll do a few commercials for PANW but will make it obvious when I am doing itAppreciate this being interactive
  17. So, if you want to be secure in a cyber world, what must be trueLot of things for sure, but let me start with 4First, you must change your mindset from responding to cyber incidents to one of a cyber campaign. In doing that, you see the need for intelligence as no war is won without thatIntelligence gives you a sense of what’s happening and why, and when you understand that, you are better preparedBut, you can’t have intelligence without visibility and the visibility must be broad and continuousFrom the visibility and intelligence you see the indicators of compromiseAnd you can apply what you know of the IOCs to the kill chainAnd then, ideally, everyone would share it all
  18. Starting with intelligenceIn some verticals, this is well understood. Going from a mindset of a discrete attack against which you are defending and then waiting for the next oneTo one of an intelligence cycle where you look for the intelligence cycle in what you are seeingAnd think of them as related to the campaign, not a discrete attack or point fo attack
  19. But, you don’t have much intelligence if you don’t start with visibility. And visibility must be across your whole networkThe concept of network really should include endpointsAnd the network and the endpoints should be talking to each otherAnd visibility wise, at a min, you should see and understand all applications, the content and the usersAnd then try to make sense of all you are seeing – the premise of big dataMaybe that sounds simple, but most organizations do not think in terms of intelligence, don’t have this kind of visibility, can’t make sense of what they do see, and don’t share or receive much of anything from anyone else
  20. That’s bad enough but even if you want to do all that and had the capability to do it, it is getting much harder. Much fasterJust think of the idea of the NetworkThat’s changing rapidly itself and this presents a whole new set of issuesThese changes are driven by things like location at the same time there are major advances in threat sophistication
  21. Users off the network – not a big problem until all the apps moved off the network too.
  22. Users off the network – not a big problem until all the apps moved off the network too. Now no visibility or network security. (SSL VPN / Always Connected)Personal devices coming back on the network – but can operate off the network at will to bypass controls. (SSL VPN / BYOD)
  23. Servers being virtualized, giving rise to “east-west” traffic. (Firewall / Virtualization)Virtualized apps moving to the cloud – not even on the corporate network anymore. (Firewall / Public Cloud)Oh, and much of the traffic remaining within the corporate network is now encrypted. (Firewall / SWG)
  24. Giving rise to the concept of the new network and the traffic realityAll of which is well understood by the modern hacker. (IPS – Modern Malware)What does all this mean?To get intelligence and visibility, you have to have it across the network, but your technology to do this must be keeping up or better yet in front of all these changes.PANW – you will hear all about this today. What we are doing in this regard.
  25. And then of course, but not simple. Let’s say you had all this great visibility and intelligence. What does it all mean?That’s where big data comes in. Our commercial here is the work we have done with Splunk, Netwitness, Arcsight etc.Interestingly perhaps is the usefulness of data that is based on apps, content and users. Great feedback from the joint PANW/Splunk customers
  26. So, if you have the intelligenceIn addition to making sense of it with big dataWhat would be very helpful is to apply it to the kill chainAnd what would be even better is if it were applied in a highly automated way
  27. We have some sense of thisPANW commercial – this is how our platform is architected and how it worksIt natively incorporates lots of the kill chain functionality that used to be disparateAs a result, it can quickly and in an automated fashion bring the kill chain to bear as opposed to hoping that each element stays ahead
  28. Okay, so now let’s say you have the right mindset, have technology that gets you visibility, use the visibility to gain intelligence, apply the intelligence to the kill chain in a highly automated manner, and are feeling pretty good.How does it get better than thatLeverage – always a good thing to have a certainly in this case it helps a lotYou can get leverage by sharing what you know and vice versa with pretty much everyone within the context of what you want or allowed to doLots of focus on this in the external cases of standards efforts and partnership efforts
  29. But, wouldn’t it be great, right no, if your NW was automatically getting and receiving all the intelligence we discussed?PANW commercial – that’s how we think it should work and it is working right now with WildfireOver 2000 customers getting the benefits of each others work here and the value of the network effect of sharing
  30. Want to touch on:You’ve heard about ISPThe purpose of this preso is provide more info on the security servicesBefore we do that let’s talk about some technology trendsMobility and elasticity of data centers (consolidation, webification, private &amp; public clouds… data centers have changed)Before ip we had sna, ipxEach app had it’s own portNow consolidating all these apps down to HTTPSComplexity resides over HTTPImpacting over all infrastructure
  31. {NOTE TO SPEAKER: The key points to get across on this slide really are around the fact -- and this can be conveyed and leveraged in multiple different ways. What I like to articulate here is really that if you look at the attack types, you know, major attack types that exist here are application type attacks and web attacks. In addition to that, you can see here that the key thing is every single one of these customers in themselves had a firewall, and it was most likely a next generation firewall. And the reality of the situation is once again due to the fact that they leverage a piece of technology that was not designed to protect their data center, the resulting effect was that they weren&apos;t protected and they were exploited. And it&apos;s important that the individual conveying the slide, if you&apos;re talking to a partner, that you can articulate that you do not want your customers to be one of the next large bubbles or bubbles that exist on this eye chart. Or if you happen to be a customer the last thing that you want is the company that you&apos;re working for or protecting to be on this eye chart.}
  32. {NOTE TO SPEAKER: The key points to get across on this slide really are around the fact -- and this can be conveyed and leveraged in multiple different ways. What I like to articulate here is really that if you look at the attack types, you know, major attack types that exist here are application type attacks and web attacks. In addition to that, you can see here that the key thing is every single one of these customers in themselves had a firewall, and it was most likely a next generation firewall. And the reality of the situation is once again due to the fact that they leverage a piece of technology that was not designed to protect their data center, the resulting effect was that they weren&apos;t protected and they were exploited. And it&apos;s important that the individual conveying the slide, if you&apos;re talking to a partner, that you can articulate that you do not want your customers to be one of the next large bubbles or bubbles that exist on this eye chart. Or if you happen to be a customer the last thing that you want is the company that you&apos;re working for or protecting to be on this eye chart.}
  33. Loss of business/customer baseLoss of intellectual propertyRegulatory Fines/Legal costsCost of corrective actionCost of volumetric flood serviceChanging methods of doing business – drives new processes. Partners loss of trust in working with your company. Scrubbing service.Reputation Management
  34. Leveraging its expertise in application delivery and its deep fluency with applications, F5 introduces the Application Delivery Firewall, a new solution that integrates multiple networking and security components onto a single platform. The F5 Application Delivery Firewall runs across the entire product platform line, from virtual editions to the BIG-IP hardware line to the VIPRION. The F5 Application Delivery Firewall includes an integrated native network firewall, which is ICSA lab certified, traffic management, industry leading application security, access control, DDoS mitigation, SSL inspection, and DNS security. It&apos;s also important to notice that the F5 ADF, besides the ICSA firewall certification, also is certified for IPsec, SSL VPN, and web application firewall. On top of that the F5 Application Delivery Firewall has EAL2+ common criteria certification and EAL4+ is currently in progress.
  35. When you’re delivering an application, you also have to worry about security. Again you have a few options – you can try to modify the application, you can put in point solutions, or you can use your ADC as a strategic point of control to secure both your applications and your data. BIG-IP LTM has a number of features that provide security at the application level.Resource cloaking and content security – Prevent error codes and sensitive content from being presented to hackersCustomized application attack filtering – search for and apply rules to block known application level attacksPacket filtering – L4 based filtering rules to protect at the network levelNetwork attack prevention – protect against DoS, SYN floods, and other network attacks while delivering uninterrupted service for legitimate connections.Message Security Module (add-on module)Protocol Security Module (add-on module)Application Security Manager (add-on module)
  36. One of the key use cases of the application security solution is to provide defense and mitigation against HTTP and HTTP-S based DOS attacks. And the way that we achieve this is a couple of ways.  And here what we have is a screenshot of the configuration. At the base level we&apos;re able to detect a DOS condition based on certain conditions. In this case it&apos;s what we&apos;re highlighting here is configurable parameters for latency. If the latency falls outside of the bounds, then we raise -- then it looks like a potential denial of service condition. Added to that we&apos;re able to identify potential attackers by some additional -- by layering on top of that some additional criteria. In this case what we&apos;re seeing here is the TPS metrics. And if that falls out of specified bounds, then we add to the -- then it looks additionally suspicious. And then finally what we do is we drop only the attackers, and we&apos;re able to distinguish based on a couple of parameters, namely some source IP based, some URL based parameters. And the idea is that what we want to do is block the malicious attackers but at the same time allow through valid users, because we don&apos;t -- the denial of service mitigation is more than just blocking all connections, right? We want to make sure that the availability of the application is maintained.
  37. Unable to secure disperse web appsNo virtual WAF option for private cloud apps Replication of production environment complicated and cost-prohibitiveNeed to block app requests from countries or regions due to compliance restrictionsLimiting app. access based on location is a good practice to quickly reduce the attack sourcesScanner scans applications to identify vulnerabilities and directly configures BIG-IP ASM policies to implement a virtual patch that blocks web app attacksBIG-IP ASM is now importing vulnerabilities – not patches – (in v11), it effectively becomes a Vulnerability Management Tool along with being WAF.  Obviously, the net effect is enabling very rapid response, particularly in the instance where you&apos;re waiting for the third-party vendor to patch the vulnerability.
  38. {NOTE TO SPEAKER: At this point in time in the presentation we should have already built the premise that we have an intelligent service platform, that we are discussing the security services portion of that platform, and that a huge advantage of our security offering is our full proxy architecture, and that since we have a custom built hardware we are able to achieve speeds and feeds that are far superior to anyone else. The other thing that we really need to be able to convey in this slide is that our technology has been designed for customers of the data center, and our requirements have always been driven from service provider, you know, in very, very large customers with very, very significant demands.  I don&apos;t normally mention Facebook specifically named, but I talk about the fact that we have customers that have a billion unique users that are actually traversing our particular technology. And these advantages have really enabled us to be able to build a security technology that is far superior to what our competition is. And so I like to convey that I&apos;ve worked with customers that have load balanced firewalls, that they load balanced logs coming from firewalls, and even just recently I talked to a customer that actually was load balancing Juniper SSL VPNs. And I asked him how many users they had, and they had 20,000 users. And what was interesting is our largest box can do 5x of what that box can do, and they were having to load balance I think six or seven other devices. So we really need to be able to tie specific use cases in this slide, we really need to be able to tie this back to our custom-built technology, and then we really need to be able to also ensure that they understand other elements such as the fact that DDoS requires connections per second, it requires the ability to ramp connections, it requires the ability to sustain connections, but in addition to that, beyond just malicious DDoS, just traditional increase in traffic from good purposes also require significant increase in connections per second. And they should have, all of our customers should have the capacity to be able to withstand, whether it&apos;s malicious or non-malicious. So it&apos;s very critical that we&apos;re able to not just give these numbers as a bunch of blah but that we&apos;re actually able to articulate and correlate and tie these back to why it&apos;s so beneficial that each of these stats will provide them significant value. You know, one more element here is speaking on the access side of it is that as more users, more things become mobile, as more applications are moved out to the cloud, the demand on remote access devices is significantly increasing.  So we&apos;ve spent a lot of time talking about our data center firewall or the ADF, and we&apos;ve spent a lot of time talking about the needs and speeds and feeds in other areas, but it&apos;s also very critical that the demand on our customers around remote access also has just as much of a need for these performance requirements.}
  39. Here we have a view of the Application Delivery Firewall solution as it maps to the constituent software modules in the BIG-IP family. It&apos;s important to note that ADF is an umbrella solution with various software modules that can be licensed, depending upon the exact requirements and the deployment scenario for the customer. And what this means is that there&apos;s an extensibility in investment protection in the BIG-IP system, meaning that at its core the Application Delivery Firewall, which consists of the Advanced Firewall Manager as its base, is extendable, and customers can add on additional modules as they need, depending on what their network demands. So as I mentioned, AFM, the BIG-IP AFM is the base, the foundation of the ADF solution. And AFM is the integrated, the native stateful full proxy firewall upon which the rest of the security modules are oriented. So AFM has the integrated UIs, so the configuration of security policy is oriented around applications. It has flexible logging and reporting, which is also detailed, which enables security teams to do analysis on what&apos;s going on with their security posture in the network. It natively supports, of course, layer four up through layer seven, so native TCP, SSL and HTTP full proxies. And the SSL, of course, includes the SSL visibility. And it also includes network and session DDoS mitigation. So aside from AFM, there&apos;s BIG-IP LTM, and this is, of course, the traffic management or the application delivery controller functionality that F5 excels at. So this is the industry&apos;s number one, the leading application delivery controller, which really brings with it the application fluency and the per application or the app specific health monitoring. Aside from that, the rest of the modules that are available are BIG-IP ASM. This is our web application firewall product, which is a no-brainer for PCI compliance needs. PCI compliance requires at a minimum web application firewall or the alternative to that would be very expensive annual security audits. ASM also has virtual patching for newfound vulnerabilities. It has with it also HTTP DDoS mitigation, and IP detection. IP is intellectual property. So this is the ability to detect bots that would basically do screen scraping.  So imagine you have a website -- actually strike that, because there&apos;s going to be another slide that talks about IP protection in specific. So let&apos;s move to BIG-IP Access Policy Manager. So this is APM, and it has not only identity access control but also includes the SSL VPN component. But this really is what does the unified access management for applications. And additionally we have GTM and DNS SEC. GTM is the Global Traffic Manager, which is essentially an extremely scalable DNS solution, but at the same time can also offload DNS queries and also even assign DNS responses. Beyond this, we also have IP intelligence and geolocation. These are licensable modules or -- yeah, these are licensable add-ons, not licensable modules but licensable add-ons which provide context-aware security. So IP intelligence, for instance, provides with it reputation information, so based on the source IP address. So source IP address comes in and -- well, anyways, again strike this, because there&apos;s an additional slide covering this. But also geolocation, and geolocation is the ability to tie an IP address to a specific region in the world. So with both IP intelligence and geolocation what we&apos;re able to do is make more intelligent decisions. This is the context-aware intelligence that we speak about. Of course, supporting all of this we have iRules, which is the extensibility piece of the BIG-IP family, and iRules is the ability to have -- it&apos;s a scripting language, which allows the BIG-IP system to have customizable actions in the data plane depending on specific something or other. And that something or other would be characteristics within the traffic itself that&apos;s transiting the system. 
  40. Splunk now has more than 850 employees worldwide, with headquarters in San Francisco and 14 offices around the world.Since first shipping its software in 2006, Splunk now has over 6,000 customers in 90+ countries. These organizations are using Splunk software to improve service levels, reduce operations costs, mitigate security risks, enable compliance, enhance DevOps collaboration and create new product and service offerings. Please always refer to latest company data found here: http://www.splunk.com/company.
  41. At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. Andthis overarching mission is what drives our company and product priorities.
  42. Data is growing and embodies new characteristics not found in traditional structured data: Volume, Velocity, Variety, Variability/Veracity.Machine data is one of the fastest, growing, most complex and most valuable segments of big data.All the webservers, applications, network devices – all of the technology infrastructure running an enterprise or organization – generates massive streams of data, in an array of unpredictable formats that are difficult to process and analyze by traditional methods or in a timely manner. Why is this “machine data” valuable? Because it contains a trace - a categorical record - of user behavior, cyber-security risks, application behavior, service levels, fraudulent activity and customer experience.
  43. Our rapid ascent reflects the customer traction we have and value we deliver to customers – with over 2800 security customers and 50% year-over-year growth, we are the fastest growing SIEM vendor in the market. In 2 short years we raced up to the top quadrant in the MQ.
  44. SC magazine award was determined by the readers of SC Mag who are IT Security professionals. We beat out:HP for ArcSight ExpressIBM Software Group for QRadar SIEMLogRhythm for LogRhythmNetIQ for NetIQ Sentinel 7SolarWinds for SolarWinds Log &amp; Event Manager (LEM)
  45. Over 2800 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.Over 2800 customers use Splunk for security and/or compliance use casesApprox. 400 use the Splunk App for Enterprise SecurityFirst introduced in 2009 with v1.0Customers using Splunk to build their own SIEM as early as 2007Leader in the Gartner MQ in 2013Splunk used for adjacent use cases such as fraud, compliance and insider threatsWidely used across many verticals for securityFlexibility, Scalability, Speed (time-to-answer), search and analytics are why customers use Splunk for security
  46. 1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it. On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3.The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
  47. Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigatethem, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats.Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
  48. To make sound security decisions 4 data types requiredTraditional structured and unstructured log dataBinary data -- flowdata for machine to machine communications and packet capture for analysis of packet payloads looking for malicious code in PDFs, TIFFs or PNGs, or email for example Context data is the data locked in business systems that are clues to employee behaviors – examples is Joe on vacation, has he not taken a vacation in the last 24 months, who’s being laid off, etc.Threat intelligence data that can tell us in near real-time about new IPs and domains that may be maliciousThe sheer volume, velocity, variety and variability of the data make this a big data problem
  49. Use case 1. Alert from a point product UI or traditional SIEM. Pin board image on right indicates “cold case/CSI” sort of investigation that Splunk can enable. (FYI - papers on the pin board image do not tell a “real” investigation story so do not try to read all the images on the pin board). From a forensics perspective, things like endpoint OS logs or packet captures can be put into Splunk at the time of the investigation to get deeper into the details.With exiting SIEMs they struggle with incident investigations because they cannot:Retain all the original unmodified data (because the normalize/reduce it)Often it is hard to pivot among the data b/c it is in different data stores (logger/SIEM/Hadoop/etc) with no common UIQuickly return back search results (because their DB causes scale/speed issues)Limited flexibility/ability to do external lookups
  50. Use case 3. It is about about taking thousands of security events that are low severity in isolation and connecting the dots in an automated, policy-driven manner to see when a combination of seemingly low severity events, when correlated, is actually a high-severity incident that needs immediate attention.There are hundreds of possible cross-product correlations. One is above and tells the story of a data loss event being detected by signature-based security productsFor a specific internal IP address running Windows, someone logs into it using a default administrative user name “Administrator” which is not good. All users should have a unique user name (not root or Administrator) so you know exactly who is doing what in the IT environment. The OS logs see this log in.Endpoint-based anti-malware sees known, bad malware running on that machine. Malware means “malicious software” and is a red flag because it may lead to data being stolen by a hackerA data loss prevention tool (in this case the Snort Intrusion Detection Prevention product) sees unencrypted credit card numbers leaving the organization from the above machine. This data loss of credit cards is a major red flag.Why these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker inappropriately logged into the machine, probably using stolen credentials, then put malware on the machine, perhaps a backdoor to remotely connect back to the machine later, then exfiltrated stolen credit cards from the machine. The credit cards may have then been used for illegal purposes which ultimately may have resulted in the costs of re-issuing credit cards, bad publicity, unhappy customers taking their business elsewhere, customer lawsuits, fines for PCI non-compliance, etc.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.Two other sample correlations:Firewall on an internal PC indicates the PC is being port scanned from an internal IP addressNetwork-based firewall indicates it is being port scanned from the same internal IP addressImportant settings have been changed on the suspicious internal machineWhy: The machine associated with the IP address may have been compromised by a threat which is doing internal reconnaissanceVulnerability scanner shows that an internal server has an unpatched OSIntrusion Detection System sees an external attack on that specific server that exploits the vulnerability in the OS Why: The server is likely to be successfully compromised
  51. Use case 4. Like prior slide so see notes at the top. But in this case the events being correlated on all are from “non-security” data sources. This is because the threats are “unknown” to traditional security products because no signature exists for them. Each of these events in isolation would raise no alarms. Only when combined can see you see that they are risky because they represent outliers/anomolies that could be advanced threats like a sophisticated cybercriminal or a nation-state.There are hundreds of possible cross-product correlations. One is above and tells the story of a spearphising attack done in order to obtain and steal confidential data. More sample correlations are on the next slide. In this scenario above Splunk is keeping track of all the external email domains that are sending emails into the company, all external web sites being visited by internal employees, and all the services and executables running on internal machines. It can automatically count up things like # of emails received by each external domain, # of times employees visit external web domains, etc, to see the rarely seen items that are outliers. In the above scenario:Splunk sees an email reach an internal employee from an external email domain that has never/rarely been seen beforeThat same employee then visits a web site that is never/rarely visited by internal employeesA service starts up on the employees machine that is never/rarely seen in the organizationWhy these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker has performed a spearphising attack. They sent a realistic looking email to an internal employee that compelled the employee to click on a link or open an executable. This resulted in the web site dropping malware on the machine.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.
  52. Interac, a leader in debit &amp; electronic payment services out of Canada. On Splunk.com we have an ROI story for them and they have presented at Splunk events several times.Before Splunk, they used point UIs and grep to do security investigations and run daily security reports. Very time consuming and inefficient. They would have many different personnel involved in security-related data collection, analysis and correlation. It was a very involved, manual, process that consisted of reviewing a variety of different log formats from a mixture of devices and interfaces. No single tool or interface existed for incident and root cause analysis. This lead to an increased amount of time researching issues and building reports for senior management. Security investigation could take days if there was a low severity event to weeks if any events were deemed medium to high severity.Looked at traditional SIEMS and found them too bloated, required extensive resource and development time, and too expensiveNow have over 15 data sources going into Splunk and they created 3 custom Apps that have over 80 reports driven through 8 menus and 26 individual dashboards. Very easy for IT Security and others to use Splunk for security use cases. They also do real-time alerting on things like user privileges being escalated, possible data loss, and anomalous database activity. End result is the ROI listed here. Not listed here, but IT also uses Splunk for root cause analysis on key business applications and underlying storage systems. Also developers can access the log data to help them with troubleshooting.See ROI study at:http://www.splunk.com/web_assets/pdfs/secure/Splunk_at_Interac.pdf
  53. Cisco, the global networking company. Their internal security team uses us. 7 clusters around globe, 900GB a day, 350TB stored data. (note – while Cisco has presented this info at numerous public events, and also blogged about it, please limit this information just to the customer you are presenting to – do not make public)Some logging and SIEM solutions we have used or evaluated required considerable effort to process custom formats (custom parsers, etc.)In our experience with SIEM 1 we found it to be rigid, inflexible, and difficult to customizeModifying how We like the ability to throw data of virtually any format/structure at our logging systemNo API/CLIFat java-based clientsOnly direct database access or worse, no alternative accessMaking scripting and automation more challengingIn the past, it wasn’t uncommon for regular reports and ad-hoc queries run against the SIEMs to take hours to completeCSIRT undertookreevaluation of logging/SIEM project in mid-2010 running a number of trials and proof of concepts, wrapping up in early 2011In CY12Q1 we retired the SIEM that had been in use since CY03 (NetIQ)Extensive migration project to replicate all existing playbook reports from SIEM in Splunk logging has been successful.Moved over 400 regularly scheduled reports from our SIEM into the new logging solution.Global logging solution deployed by end of CY11Also see:http://blogs.cisco.com/security/security-logging-in-an-enterprise-part-2-of-2/Based on sheer cost of deployment, we estimate that investment for a global logging solution was roughly 25% of what deploying a full SIEM would have cost usBegan mid-2010, completed early 2011Evaluated, trialed, Ran PoCs: Splunk and three other loggersSIEM 1 and six other SIEMsStrategy moving forward:Retire current SIEMUndertake global loggingEstimated: 25% of SIEM costOver 90% 0f the team is using the tool (where as before we primarily had analysts running reports)It is a great fit for the brand new analyst all the way up to the most seasoned investigatorsMuch higher percentage than SIEM 1 (which required logging in via a fat client or using direct DB access)With our revamped event collection deployment we are: Indexing over 35x the volume of data we were previouslyQuerying on average 20x fasterLong Queries:With SIEM 1: 2% over 1 hourWith Splunk: &lt;0.5% over 1 hour
  54. Barclays, the large financial services firm out of Europe. Use us for incident investigations, security dashboards (top malware sites employees visit, potentially infected endpoints), IT opps use cases as well.Needed a security logging and monitoring solution that could scale and was flexible for historical searches. (note – while Barclays has presented this info at numerous public events, and also discussed it in the media, please limit this information just to the customer you are presenting to – do not make public)Also see:http://www.computing.co.uk/ctg/news/2262548/without-splunk-we-might-be-taken-out-of-the-market-says-barclayshttp://www.computerweekly.com/news/2240183238/Barclays-indexes-machine-data-to-meet-complex-regulationhttp://www.computerworlduk.com/in-depth/applications/3442941/barclays-tackles-complex-regulatory-environment-with-splunk/
  55. Infoblox is not a start-up. The company was started more than a dozen years ago – our technology is mature and field provenThe company HQ is in the heart of Silicon Valley with global operations in all major geographies – We do business in 3 regions (Americas, EMEA, APJ)We have sales, support and development operations in 25 countries and we do business in over 70 countries around the worldInfoblox makes essential technology to control networks – we’ll dig into that a bit later in theWe are a market leader in the space that we serve – with Strong Positive ratings from Gartner (3 years in a row) and 40% market share (Note: Gartner Market Scope and market share stat is specific to DDI)Infoblox has a massive customer base – our latest count is 6,900 different companies- we have shipped 64,000 systemsWe are innovative, with a formal patent program for our employees. As of right now we own 32 patents and 25 more pendingLast but not least – the company did a successful IPO in April 2012. We now share our financial results publicly – which can be seen on the right.
  56. Infoblox can help organizations deal with the risks and expenses associated with key trends in the world of networks…Let’s take a look at how:Click: The modern network is made up of the infrastructure layer, which is all the devices you’re very familiar with (switches, routers, firewalls, load balancers, web proxy’s etc.)Click: These devices exist to support this layer – your Apps and Endpoints. Ranging from Voice Over IP Phones to tablets and smart phones, to all the VM’s and private clouds, all servicing the applications that drive the business.Click: Infoblox plays in the middle. In the control plane. We put our technology on high performance, highly available and secure platform (we call this the Grid). The grid has a very powerful, distributed network database that keeps all the information in one placeSo what does Infoblox do?Click: We deliver Discovery, Real-time Configuration &amp; Change management, and compliance for this layerClick: And we deliver Essential Network Control functions like DNS, DHCP and IPAM (known as DDI) for this layerClick: Since we’re the new threat vectors are targeted at the network, specially the DNS architecture, we offers security solutions for risk mitigationAnd since we touch all these devices and capture real-time data in a single place…Click: we can do some amazing real-time and historical reporting as well as advanced control
  57. Networks are constantly being exploited using DNS for a variety of criminal purposes today. DNS is the cornerstone of the internet and attackers know that DNS is a high-value target. Without their DNS functioning properly, enterprises cannot conduct business online. DNS protocol is stateless which means attackers also cannot be traced easily.The DNS protocol can be exploited easily. It is easy to craft DNS queries that can cause the DNS server to crash or respond with a much amplified response that can congest the bandwidth.The queries can be spoofed which means attackers can direct huge amounts of traffic to its victim with the help of unsuspecting accomplices. (open resolvers on the internet)All these reasons make the DNS an ideal attack target.
  58. We are a critical component of the customer infrastructure and a target for many of these attacks. Big issue using DNS as a open global communication mechanism that is not well secured..not a well protected channel. Customers can use our purpose built hardware and best practices to ensure infrastructure safe.Malware communicates using DNS to resolve the ahe name. Purpose-built secure hardware Common criteria certifiedRate limitingBest practices
  59. Hacking of DNS servers is becoming more prevalent each day. For those bad actors with extensive hacking skills it’s a quick path to inflicting damage and getting a hold of mass amounts of traffic/users quickly. Just in the last 15 months there are have been hacks of DNS servers of LinkedIn, Google Malaysia, and MIT. Traffic to these sites, in the thousands of visitors per hour provide a great source of unwilling participants for Hackers.
  60. Security – Purpose Built AppliancesInfoblox has design, built and delivered hardened appliances from which secured DNS, DHCP, and IP Address management applications are delivered.For the appliances Infoblox has delivered:Minimal Attack Surface (Task specific hardware) – No extra or unused ports that could be used to access OS or power external devices – e.g. USB port for Wi-Fi access port.Active/Active HA &amp; DR recoverySimple VRRP-based HA setup – Fail-over and fail-back to ensure availability.Active/active DR recovery – Ensure operations during a DisasterTested &amp; certified to highest Industry standardsCommon Criteria EAL-2 Cert. – Hardware/software and manufacturing processes verified.FIPS 140-2 certificationSecure Inter-appliance communication128-bit AES Grid VPN comm. – All cross appliance communication is protected and cannot be intercepted.Centralized management with role-based controlCentral view of all appliances/processes &amp; management.Role-based admin controls – Segment access, control, and management of applications or networks.Secured Access, communication &amp; API6 authentication methodsTwo factor Auth. (CAC/PKI)HTTPS Web access – Secured accessSSL-Based REST/Perl APIGSS-TSIG &amp; TSIGDetailed audit logging – For tracking of changes and enabling un-do of incorrect changes.Fast/easy upgrades – Reduce downtime and risk of upgrades.** NOT ON SLIDE **Restrictive/hardened Linux OS – hardened OS. Non-essential processes not enabled.Root access disabled – Control over operations cannot be compromised.
  61. DNSSEC in 1-clickNo scripts / Auto-Resigning / 1-clickCentral configuration of all DNSSEC parametersAutomatic maintenance of signed zones
  62. Arbor survey: This year Arbor collected 220 responses to the Infrastructure Security Survey, November 2012 to October 2013
  63. The Adv Appliance can sit on the Grid. Now let’s see the Advanced DNS Protection in action. Regular GRID appliances like the GRID master and the reporting server sit on the GRIDLet’s assume we have two Advanced Appliances, one external authoritative and the other functioning as an internal recursive server. DNS attacks come interspersed with legitimate DNS traffic at the external authoritative server.Advanced DNS Protection pre-processes the requests to filter out attacksIt responds to legitimate DNS requestsThe attack types and patterns are sent to Infoblox Reporting server When Infoblox detects new threats, it creates rules and updates the Advanced Appliance. The rule updates are propagated to other Advanced Appliances on the Grid.
  64. Here’s a high level categorization of the attacks that the Advanced DNS Protection protects against. These are just a high level categorization and there are several rules that are created of each of these attack types. Some of the key attacks we have seen growing in number in the last year or so are the DrDoS attacks that use a combination of reflection from multiple open recursive servers on the internet and amplification to really flood the target victim’s server.The reflection, amplification, floods all cause huge amounts of traffic to be sent to the target victim overwhelming the target server and eventually leading to a Denial of Service(DoS) attack.Detailed explanation of attacks (if more info is needed):DNS reflection/DrDoS attacks Reflection attacks are attacks that use a third party DNS server, mostly an open resolver, in the internet to propagate a DDoS attack on the victim’s server. A recursive server will process queries from any IP address and return responses. An attacker spoofs the DNS queries he sends to the recursive server by including the victim’s IP address as the source IP in the queries. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address. DrDoS or Distributed Reflection Denial of Service uses multiple such “host” machines or open resolvers in the internet, often thousands of servers, to launch an attack on the target victim. Amplification (described in the next row) can also be used while generating these queries to increase the impact on the victim. A high volume of such “reflected” traffic could overwhelm the victim server and bring down the victim’s site, thereby creating a Denial of Service (DoS).DNS amplification DNS amplification is an attack where a large number of specially crafted DNS queries are sent to the victim server. These specially crafted queries result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume. When the victim tries to respond to these specially crafted queries, the amplification congests the DNS server’s outbound bandwidth. This results in a Denial of Service (DoS). DNS-based exploits These are attacks that exploit vulnerabilities in the DNS software. This causes the DNS software to terminate abnormally, causing the server to stop responding or crash. TCP/UDP/ICMP floods These are volumetric attacks with massive numbers of packets that consume a network’s bandwidth and resources. TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS). UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable. ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers DNS cache poisoning Corruption of DNS cache data. It involves inserting a false address record for an Internet domain into the DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go to the attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache. Cache poisoning prevents access or redirects the clients to a rogue address, preventing legitimate users from accessing the company’s site. Inducing a name server to cache bogus resource recordsCan redirect…web browsers to bogus replicas of web sites, where logins, passwords and credit card numbers are capturedemail to hostile mail servers, where mail can be recorded or modifiedProtocol anomalies Send malformed DNS packets, including unexpected header and payload values, to the targeted server. They make use of software bugs in protocol parsing and processing implementation. The victim server stops responding by going into an infinite loop or crashes. Reconnaissance This attack consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. Techniques include port scanning and finding versions and authors. These attacks exhibit abnormal behavior patterns that, if identified, can provide early warning. No direct effect on the server but indicates an impending attack. DNS tunneling This attack involves tunneling another protocol through DNS port 53—which is allowed if the firewall is configured to carry non-DNS traffic—for the purposes of data exfiltration. A free ISC-licensed tunneling application for forwarding IPv4 traffic through DNS servers is widely used in this kind of attack.
  65. Enterprises can deploy the Adv DNS Protection either as an external authoritative server or a recursive/caching server inside their network. This diagram shows a typical deployment scenario in the external case and in the internal case. The first scenario helps to protect the network from external internet borne attacks that target the authoritative DNS. The second scenario is more common in education vertical where the university traffic can be as bad as the internet traffic. So Universities’ IT departments can use the Adv DNS Protection for their internal DNS server to ensure that the internal network is protected from attacks launched from within their network.
  66. Before we talk about disrupting Malware which maybe random or targeted we need to understand the problem first. The problem is malware is used to drive security breaches around sensitive information or to steal money.Before you on the screen right now is just some of the breaches from CQ’ 2013 into CQ1’ 2014 that used Malware extensively. Let me go through a couple of examples. In the 1st quarter, the NY Times was hacked and information exfiltrated over a period of 4 months. An outside company was brought in at great expense to clean up the NY Times infrastructure. The outside vendor found 45 different malware instances only 1 of which was caught by Anti-Virus. Another example in the 1st quarter is Facebook. Facebook was infected via a Java-based malware that was accidentally download by several Facebook employees outside of the Facebook network and brought back into the network. Facebook found the Java-based malware because a DNS administrator found a sudden burst of DNS requests for domains in Russia.In the 2nd quarter it was announced that Malware was used to steal credit card numbers and other information from the likes of VISA, JC Penneys, NASDAQ and Carrefour which totaled $300 million. In the 3rd quarter of this year Adobe was hacked using malware and a outside security researcher discovered the breach when he found source code for 4 of Adobe’s products on a known hacker website.Finally – Retail was big target in late CQ4’ 2013 and early CQ’2014. Neiman Marcus, Target and several others were breached and credit card information for tens of millions were stolen. Target, Neiman Marcus, URM Stores (Washington State) found that their Credit Card Point-of-Sale (Windows) computers were breached and customer credit card data stolen. Each vendor had to announce it publicly. The impact on their business was 3-fold. (1) Customers shopped elsewhere because they lost faith in the retailers. (2) They also had to hire a 3rd party vendor to do forensics on their environment to find out what happened.(3) IT lost productivity because all servers and POS systems had to checked, updated and cleaned.
  67. Here is one more example of Malware that DNS Firewall is effective against. Cryptolocker is a new name for a piece of malware (so called Ransomware) that has been updated and is now back in distribution.CryptoLocker is a Windows-based that is spread via various “pay per infection” methods. That is the crooks pay other crooks to infect you. Currently it is being spread by at least two different ways. One is email where the attached Malware is disguised as a PDF or voice-mail audio file. A second is via trojans already present on the machine which are commanded to download cryptolocker. Once CryptoLocker is on a Windows machine it enrypts the files on the local hard drive or shared drives by getting a encryption key from a internet based server. The encryption key is a 2048-bit RSA key. As you can see on the screen a pop-up windows informs you that your files are encrypted and you have 72 or 100 hours to pay $300 dollars or Euro’s to get access to your data. The only way to stop the encryption process is block access to the Encryption servers on the Internet. Infoblox DNS Firewall disrupts CryptoLocker by blocking DNS queries to the Encryption servers.
  68. Infoblox DNS Firewall – How does it work?1. An infected mobile device is brought into the office. Upon connection, the malware starts to spread to other devices on the network.2. The malware makes a DNS query for “bad” domain to find “home.” The DNS Firewall has the “bad” domain in its table and blocks the connection.3. The DNS Server is continually updated by a reputational data feed service to reflect the rapidly changing list of malicious domains. 4. Infoblox Reporting provides list of blocked attempts as well as the IP addressMAC addressDevice type (DHCP fingerprint)Host NameDHCP Lease history (on/off network)5. Reputation data comes from:Infoblox DNS Firewall Subscription Service – blocking data on domains and IP addresses from 35+ sources throughout the world. Geo-blocking also apart of the service as wellInfoblox DNS Firewall – FireEye Adapter – APT malware domains and IP addresses to be blocked communicated to DNS Firewall from from FireEye NX Series.
  69. What Protection does DNS Firewall Provide?DGA (Domain Generating Algorithm) - malware that randomly generates domains to connect to malicious networks or botnets. Initial infection seeking to connect and down load more software.Fast Flux - Rapidly changing of domains &amp; IP addresses by malicious domains to obfuscate identity and locationAPT / Malware – Targeted attack APT / Malware designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack. Integration with FireEye enables DNS Firewall to protect against APT.DNS Hijacking - Hijacking DNS registry(s) &amp; re-directing users to malicious domain(s). Example of this is the Syrian Electronic Army hijacking of DNS servers in Australia and directing NY Times and Twitter users to their malicious domains.Geo-Blocking - Blocking access to geographies that have rates of malicious domains or Economic Sanctions by US Government. Ideal for governments and small business that don’t do business overseas and therefore users would not have a legitimate reason to be going to a domain hosted in this country. Examples of regions with high ratio of malicious domains (Russia, Moldova, Lithuania, most countries in Africa, etc.). A good example of how Geo-blocking helps – Cryptolocker – DNS Firewall with DNS Firewall Subscription service with Geo-blocks for Eastern Europe provides ZERO-Day protection against Cryptolocker.
  70. DNSSEC enablement with automated key maintenance simplifies implementation and reduces risk
  71. This concludes the Infoblox Webinar - Protect DNS from Being an Accomplice to Malware. We hope it has been informative for you.If you’d like to find out more you can:Contact Infoblox Sales at sales@infoblox.com or go to the infoblox website at www.infoblox.com
  72. Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies &amp; adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical &amp; sales certifications with leading security companies including McAfee, Cisco.Key Partners &amp; Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection &amp; DefenceThe first line of defence is to stop unwanted intrusions &amp; attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS &amp; IP address properties and control user activity while ensuring speed and performance are maintained. Incident &amp; Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective &amp; coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff &amp; training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment &amp; Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize &amp; rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.
  73. SEIM is only as good as the people that deploy and the processes that manage it- URL Filtering Data typically shows up late- Different types. Multiple vendors or similar technologies (firewalls from different vendors- Other data types. Vulnerability data, Physical Security systems
  74. InfoSec Staff are expensiveThey are smart and ambitious As soon as they are trained they leave…They have, in some cases, very granular skillsFacilities costs Labs, tools (IDA Pro, Responder Pro, Encase)
  75. Vulnerability Management is a continuous process that must have measurable results. It is not solely about patching or fixing vulnerabilities. It is about managing part of your business. It is about auditable results.-Needs to be continuous processRequires an advanced knowledge of vulnerabilities and patching as well as server hardening. Not all vulnerabilities are patch related. Compliance and other types of issuesDealing with zero days Assessing risk
  76. APT is a very overused term these days. It is THE problem but does not explain how to resolve it. It is resolved with state-of-the-art technology deployed in the right place and managed by the right people who understand how to interpret the results and action them in the correct priority.Infected devices video cables etcWhoNeiman Marcus 60K events triggered but these were probably just noise inside millions of events.NSA ANT TAO Tailored Access Operations
  77. Key Message – Our Security Portfolio is focused on the question of how to secure core infrastructure. We deliver Security by focusing on next generation technologies &amp; adaptive defensive techniques. Our experience in this space has shown us that threats are evolving very rapidly, and our approach emphasizes using leading next gen technologies rather than large, monolithic architectures, allowing you to react quickly to changes as they evolve. We back that up with industry leading expertise – we are the only authorized training centre in Canada for next-gen security technologies like Palo Alto Networks, F5 and Infoblox, leaders in their respective spaces. And we maintain technical &amp; sales certifications with leading security companies including McAfee, Cisco.Key Partners &amp; Technologies - Palo Alto, Fortinet, FireEye, McAfee, Cisco, F5, InfobloxProtection &amp; DefenceThe first line of defence is to stop unwanted intrusions &amp; attacks so that they never penetrate your network. Scalar can design and deliver solutions to protect your network and applications, control your DNS &amp; IP address properties and control user activity while ensuring speed and performance are maintained. Incident &amp; Event ManagementWhile protection is critical, it’s equally as important to deliver a rapid, effective &amp; coordinated response to any intrusion or attack. That requires processes, discipline and tools, including a 24/7 Security Operations Centre with the staff &amp; training to operate it. That’s how Scalar helps customers secure hundreds of endpoints, devices and networks. Threat Assessment &amp; Penetration TestingImproving your security posture means you need to understand where your vulnerabilities are. A vulnerability assessment can not only identify vulnerabilities in a system, but can help prioritize &amp; rank the order in which they should be fixed, and educate internal stakeholders of the potential risks that exist. And while online tools exist, interpreting the results and developing a plan can be overwhelming for IT departments that lack the staff with the necessary skills. Scalar can conduct the assessments, and our analysts can work with you to develop a plan to close potential threats.